Note: The article below was published in Computerworld Philippines July 2009 issue (print edition, Web Security Lifeline, page 55). I got permission from ComputerworldPH to republish it in my personal blog recently.
Effective Security Practices in the Workplace: Keeping Your Business Safe
By Menard Oseña
When it comes to information security, the human element is still the weakest link. More than a strong network infrastructure in an organization or strong antivirus protection at home, what’s important is an informed and conscious user.
Companies and individuals are increasingly being threatened by cyber security problems as they grow more dependent on technology. According to the UK government’s Information Security Breaches Survey 2008, 96% of companies with over 500 employees suffered a security incident in the previous year.
In 2008 alone, the Internet Crime Complaint Center received a total of 275,284 complaints, a 33.1% increase over the previous year. The total dollar loss linked to online fraud was $265 million, about $25 million more than in 2007. The average individual loss amounted to $931.
Cybercriminals know just how to exploit the human vulnerability to their advantage. Here are what you as a computer user may be doing to put your information at risk, and what you can do to mitigate attacks:
Failing to implement the principle of least privilege
The principle of less privilege is an information security tenet that requires every module to access only such information or resource that is specifically necessary to its legitimate purpose. In practice, it requires that each user be granted only the most restrictive set of access rights on a need-to-use basis for the performance of authorized tasks. This limits the damage rendered in the event of accidental, erroneous or unauthorized use.
Overlooking the basics
- Passwords – A weak password can be easily cracked within hours by a cybercriminal or even a free, downloadable application. Create strong passwords, which have six to eight characters, use both upper and lowercase letters, and always include at least one numeral and one special character.
- Use of digital certificates for transmission of data
- Installation and updates of antivirus and antispyware software
- Improving and maintaining site security and credibility
Being lenient with the use of portable devices
Removable and physical drives are the fourth highest source of infection globally. Both the NASA and the U.S. Department of Defense have banned external storage drives as well as mobile media devices. According to reports, this was allegedly put in place after officials detected virus threats in their network systems late last year. USB sticks and mobile gadgets can be used by employees to copy classified data to or from the network.
Being on social networking sites during work hours
Social networking sites do not just eat a chunk of your employees’ productivity and time. They can also be proponents of malicious attacks. Exercise best judgment. Trend Micro has tracked several malware attacks that started within these so-called trusted portals.
Not keeping backups of your files
In the event of data theft or loss, damage can be mitigated if backup procedures are performed regularly.
Glen Kosaka, director of DLP (data leak prevention) products in Trend Micro, lists five ways to raise security awareness and gain employee support for initiatives:
- Make data security part of the company culture
Protecting sensitive information should not be the sole responsibility of the security and executive teams. Employees and managers alike share the responsibility for not only their own use of sensitive data but also can serve to watch over others to ensure that everyone is observing these policies.
- Integrate data leak prevention processes into overall workflow
Many companies have lost control over their sensitive data because the identification, access to, and movement of sensitive data is not integrated into their overall processes. In addition, the introduction of new mobile devices or remote development sites can introduce new threat vectors for data leaks.
- Make employees feel like security assets, not liabilities
If employees can feel as vigilant about protecting their company data as they do about meeting other business objectives, they become an extremely valuable asset to their company’s data security programs. Training and awareness programs around the costs of various types of breaches and what they can do to prevent breaches will sensitize employees to the challenges faced.
- Prevent the temptation to engage in “harmless” policy violations
These include sharing contact lists with friends at other companies, “backing-up” sensitive data to home systems or unauthorized storage devices, and copying intellectual property to USB thumb drives to transport them to a remote development site. All of these violations, while they may seem harmless to the employees who commit them, can lead to costly breaches.
- Teach employees about policies while enforcing them
Employees should be educated about the company policies, ideally at the “point of use” or “point of violation.” Raising employee awareness of data protection policies, especially at the “point of use,” can reduce or even eliminate the large percentage of breaches which occur accidentally and unintentionally.
Thanks also to Ms. Deb of ComputerWorldPH/MediaG8way for the permission to repost at menardconnect.com.
Visit my Computerworld November 2008 Article: