I was asked the question recently, “Mike, based on your 40+ years of experience in technologies, as a business manager, what are the common technology security issues that I should be concerned about?”
Well, I am not going to dive into the architecture of data centers, computing platform data leakage, and perimeter defense strategies, but as a business manager I suggested the following security risks that are all too commonly found (and exploited) through poor policies:
No policy on password resets.
If you allow passwords to remain unchanged for more than 90 days you are setting yourself up for a breach. Sure it is pain for your company, and may seem even more of pain for your customers who need passwords to access the services you provide. But those very customers are the easiest source of a breach. Would you rather explain security or the details of a data breach allowing every lease and background check report to be downloaded? Having robust password structures and prohibiting re-use are good starting points.
A password of less than 12 characters begs for cracking. Using "Remember Me" means just that - except the computer really doesn’t know who you are so, in one quick unattended minute the thief is in. Look around the leasing office and see how many passwords you can find written down – start with the sticky notes because they are a dead giveaway.
Unsanctioned file shares.
If you allow staff to use "freemium" file shares you have lost control. Letting staff store company or resident related documents on a file storage services of their choosing is just crazy. Once a document is sent offsite under their control you set your company up for problems and risks. You'll have no ability to audit access, no control over access, no control of re-distribution of documents, when they leave they take the documents with them. It’s their password not yours.
Bring Your Own Device (BYOD) permitted.
This is Nightmare City. The wild, wild west. Managing the access and use of personal devices may seem enlightened but the risks are truly great. What gets put on that personal device? What access codes are stored on it? Who else in the family can play with it? Oops, where is it? Wow, look at all those emails and email addresses! If bringing your own device is allowed it must be formally understood, managed, monitored and controlled…not just permitted. An interesting sidelight is the issue of engaging hourly staff ‘after hours’ because their device buzzes and pings with your business matters. Be ready to pay for that intrusion. The labor laws are on the side of the employee.
Unmanaged Wi-Fi access.
Common complaints include, "It is too much of a nuisance to have a password protected Wi-Fi. We have lots of guests and it makes it hard for them to get on line." Remember you don’t have to be in the room to get a Wi-Fi signal. Every signal is a beacon for a drive-by hacker. Why make it easy to ‘come on in’?
Unsecure printing and storage of paper files.
Allowing multiple users to print to a shared printer when they are not present to collect their print output can be a security problem. Unattended output left in print trays in full view can be easily picked up by the wrong user. Personal identity theft is a significant threat, and the cost of that breach is severe.
Look around the leasing office and just see how much personal resident information is left unattended. Now, where is that application form? Are resident paper files really locked down? Does the cleaning staff have unsupervised access to paper file storage rooms?
Lost or stolen smartphones and laptops.
Need I say more about this drama and trauma? If you don’t have a policy to shut lost devices down or immediately restrict access, then stop reading and get one started. Hopefully, you've backed this information up for two reasons: so the employee can continue to work and so you can audit what was lost or stolen.
Social Media Apps on corporate systems.
These are a treasure trove for phishing and re-directs.
Malware and viruses.
“All I did was click on that message, it said I had to”. “Oh, that web site - seemed like it was going to be helpful”. “Here, use this jump drive storage stick, I have others”. Unless you ensure and enforce the maximum use of ‘firewalls’ and device resident security software you have no chance at even a semblance of protection.
In the end, a rigorous security awareness program such as frequent mandatory end user security training sessions and frequent bulletins and newsletters that make security awareness part of your culture will go a long way to reducing your risk.
One last piece of advice…make someone available to help end users when they have a security question. Encourage them to call before they do something. Everyone will benefit from the ‘ounce of prevention that avoids a ton of grief’.