Many businesses believe they go to great lengths to safeguard the integrity of their business data. They install and rigorously maintain their network firewalls. They ensure daily, antivirus software updates to all servers and desktop computers. They schedule frequent virus scans. Unfortunately, most businesses stop there. They do nothing to protect their business data and computer environment from the most dangerous hazards of all, internal sources such as employees, security, janitorial etc.
The great majority of employees are not intentionally trying to cause harm. They are just “doing their job.” Unfortunately, there are multiple ways even the best employee can damage your business. While performing everyday work activities, the unintentional access of sensitive business information, the downloading of a “cute” picture or the innocent attempt to “fix” something can wreak havoc. To protect your business environment from this kind of accidental, yet potentially damaging event, your computer administrator should apply the “Principle of Least Authority,” or more commonly known as the “Principle of Least Privileged Access.” In simple terms, this means limiting employee access to only the specific resources they legitimately need, on both their computer and the computer network, to do their job.
Even with strict firewall rules and up–to–date antivirus software, without the “Principle of Least Privilege Access” at work, your computers are still at significant risk. Zero Day Exploits are one of the reasons your computers and network are still vulnerable. Most of the damage done by viruses and malware attacks happen during the time between the release of the new threat and the solution provided by the antivirus and antispyware vendors. Therefore, one of the more important aspects of the “Principle of Least Privileged Access” is to control the “right” to install software. Establishing “necessary access only” rights for your employees will significantly decrease the unintentional, or worse, intentional damage to your information and systems.
Data security is another employee problem area which is often overlooked by small and medium sized businesses. Identity theft has become a worldwide multi–billion dollar business. Almost every week there is a news story in which some employee has lost a laptop and supposedly secure information becomes publicly available. Inattention can lead to the installation of a hard drive which contains private and confidential information into the wrong computer and therefore place that information into the wrong hands. The U.S. Government has passed various laws, such as Sarbanes–Oxley, HIPPA, and the Gramm–Leach–Bliley Acts to make businesses liable for such mistakes. To protect your data, determine which specific employees should be allowed to access USB ports or CD–ROM drives and strictly enforce the policy. The most effective way to keep data safe on mobile devices is to encrypt the information before saving to the device. There are many software solutions which can be purchased to aid in this process. Most document programs such as MS Word, Excel, OpenOffice Writer and so on, have an option to password protect the document when saving. However, the password protection offered by these programs is not as good as true encryption.
Employee’s PDAs, Blackberries and Treo devices can be another big security headache. Forgotten devices at the restaurant today may mean sensitive data on the Internet tomorrow. These devices can be made more secure by the simple use of a strong password. However, today where the average person is required to remember more than one password, the password itself becomes another security issue. It is human nature to pick a word or date that is easily remembered and use that password for everything. Unfortunately, most passwords can be discovered with just a little personal information. Pet names, whether of actual pets, spouses or children are easily come by, as are significant dates, places or events. Hackers use dictionary and numerical attacks to quickly crack simple passwords. Your password may be the strangest word you’ve ever heard, but if it’s in a dictionary, any dictionary, it WILL be cracked. A strong password should be atleast 6 characters long, or longer. Both upper and lower case letters should be used and perhaps most importantly, the substitution of symbols for some of the letters. For example, take the word “hotfoot,” add a bit of creativity and the word is transformed into “H@tF@0t!”. Whatever you do, do not write the password down! A great password on a sticky note is not just a bad password, it’s the 'open sesame’ for your data. Another aspect of good password management is to change passwords at least every 3 months. Both Microsoft Windows and Linux environments support the automation of this process to force people to change their passwords. Even the reuse of passwords can be disabled permanently or placed on a date/time basis.
Guarding your company’s data requires more than just keeping the “barbarians at the gate” out. It requires protection from those within. Most computer solutions companies will offer a complementary evaluation of your computer environment and offer recommendations to improve the protection of your business’s core, your data. Do it now. Don’t read about your company’s loss of data in the news tomorrow.
