IT security can’t be accomplished with totality; not if it relies on the honesty and integrity of employees. People are subject to a little thing called human nature. A big part of human nature is procrastination; laziness.
At organizations like IBM, sometimes employees will have access to ancient databases as many as forty thick. Each database will require a unique alphanumeric password of eight characters or more, containing letters, numbers, and symbols — the whole nine yards. The passwords will usually require a reset every two weeks to a month. Now, it should go without saying that such passwords shouldn’t be written down where they can be found; but with such a proliferation of passwords necessary for daily operations, they’re going to get written down. The key then becomes securing the written information in a combination locker that requires the employee to use the combination for access regularly. But even then, you’re going to have instances where employees leave their password notebook just lying around for any old corporate espionage agent to snatch up and wreak havoc with.
The reason employees do this is direct. It’s not that they want to compromise security, it’s that they know most corporate espionage agents represent a minority of people around the office. Employees also know that keeping a memorized password in the back of their minds at all times becomes a hassle, just as maintaining a notebook under lock and key. So sometimes they will just shove it behind the desktop tower, or under the keyboard tray, or in a drawer at their desk. Though their locker could just be halfway across the room, that little amount of work somehow seems like too much. And while you may think that such willful disobedience for the sake of convenience may represent a minority of employee activity at your location, you’d do well to consider some statistics which say otherwise. This willful disobedience is called “rational noncompliance”, and 90% of employees, in one particular survey, admitted such activity. IT security that doesn’t take this into account is going to have breaches that definitely begins on the inside.
Worse than worrying about the maintenance of passwords that are either in or of themselves insecure, or insecurely stored on paper somewhere that’s easy to find, employees compromise internal systems through cloud-applications and email. They’ll send sensitive data back and forth between business servers and their own home computers. If you think this isn’t an issue, just consider the whole debacle of the last year involving a presidential candidate, which concerned this exact practice. Such behavior stretches top-to-bottom, and preventing it requires concerted effort.
When e-mail is exchanged between private computers and those used in company operations, it opens up the door for a variety of security breaches. Email is one of the main avenues hackers use to gain access to a given system. All a hacker has got to do is find a chain of emails between a supervisor and support personnel. Then they’ve just got to surrogate that individual’s typing style — which doesn’t take a CIA-trained spy to do, by the way — and they’ll have access to proprietary access information. “Hey Steve, it’s Mike from accounting — get ‘er done! Hey, I lost my PMINC password, can you send me a new one? Thanks, boss!” Boom, PMINC just got hacked.
There are a number of methods you can use to keep operations secure. Following are several suggestions:
• Secure Passwords
• Company Protocols Restricting Physical Password Writing
• Strict Email Protocols
• Download Restrictions
These measures — in conjunction with antivirus software that restricts downloads unless permissions are granted, and maintenance of such measures through a professional IT organization — will certainly go a long way toward ensuring your company’s security. It is somewhat integral to obtain IT security through an organization which fundamentally understands where security breaches are most likely to occur. Such agencies can help you monitor “problem” employees, and maintain restrictions/access privileges. Many antivirus software options require an administrator password for any kind of download on a company computer. Additionally, you could maintain emails on a private server that only accepts certain addresses. Consult an IT agency for the most secure solutions as they pertain to your business; they’ll definitely have some tips for you.
About the Author
San Diego, CA
Michael is the CEO of Spacelink, providing IT infrastructure cloud hosting services and San Diego IT support for since 2001. Michael has over 9 years of experience in IT infrastructure and has a passion for simplifying the complexities of information technology and cloud services. Spacelink exists to help companies propel their businesses with a well-reasoned IT strategy and forward-thinking technology that’s cost-effective and reliable. Spacelink was recognized as a top Managed IT service provider in North America by MSP Mentor in 2016.