Special Kids Individualized Learning Life Skills
Example 2: Leave No Stone Unturned
Leave No Stone Unturned
True Story: One particular organization had strong systems in place to offboard ex-employees from digital IT resources; however, they weren’t always so prompt in deprovisioning building access credentials. Then one day, a disgruntled ex-employee used this security weakness to their advantage to exact revenge. Using their “still-yet-to-be-disabled building access card” they entered the building, and then was able to gain entry into a room with an unlocked work system. They plugged a USB flash drive into the machine and had plans to steal and expose sensitive data. Luckily, forensic analysis alerted the company to the malicious activity, and they were able to put a stop to it before the ex-employee was successful. Read the full story here.
Moral of the Story:
- Not only is it important to immediately terminate a fired employee’s network access, but their office access as well.
- This story also demonstrates why it’s important to enforce certain system policies like those that enforce screen lock and disable USB drives. They can help prevent malicious activity on work devices.
Intellectual Property and Data
Security awareness training is also a good time to clarify your rules around intellectual property. Your employees should know what is considered company property, and what the rules are for storing it. Also, establish general rules regarding what they can or can’t talk about with non-company personnel.
Along the same lines, you should consider going over how to secure data. Ideally you should have rules in place about where employees should and should not store sensitive company data.
If your organization utilizes cloud productivity platforms like G Suite™ or Office 365™, warn your employees to be mindful of who they grant permission to access these files and folders, and that it’s best to share files and folders on an individual basis when possible. Also, advise employees to password protect data files where it makes sense, or to place those files in folders with strict access controls.
When data is sent via email, they should assume it is compromised the moment it is sent, and they should always know what, to whom, and why something is being sent.
Warn employees to be mindful about logging into an account in a public area, like Starbucks or while riding the bus. They especially need be wary of someone peering over their shoulder because this is an easy way for someone to steal credentials.
Speaking of public areas, let them know that they should avoid using public WiFi at all costs and only use it if they absolutely need to. While public WiFi can be extremely convenient, it can also be one of the easiest ways to compromise a set of credentials and a device. Lay out for your employees that they’re essentially ceding control of their network traffic over to whoever has access to the router. Some great questions to run through before connecting to public WiFi are:
- Do I trust the coffee shop I’m at to also be experts in network security?
- Do I trust that nobody has tampered with the router?
- Do I trust that the router has been updated recently?
- Would I have an intimate conversation with, say, my tax lawyer in a crowded coffee shop? If no, then it’s probably not the best idea to conduct online banking over the WiFi either.
It ultimately comes down to one’s risk model and what you’re comfortable exposing, but public WiFi fundamentally is an insecure method of communication. When in dire need for the internet, some alternative methods to public WiFi include using mobile data to do something on their phone or to create a mobile hotspot. For the times that’s not an option and they need to take that risk, a VPN (virtual private network) can help mitigate some of that risk, but not all.
Lastly, security training is a great time to also notify them of any company rules you have about company WiFi (e.g., if there’s certain networks they should or shouldn’t connect their phone to).