Tightening up Security is Everyone’s Responsibility

Most information technology (IT) experts are very much unnerved by cyber criminals, says the biggest study involving surveys of IT professionals in mid-sized businesses.3D

  • 87% send data to cloud accounts or personal e-mail.
  • 58% have sent data to the wrong individual.
  • Over 50% have confessed to taking company data with them upon leaving a post.
  • 60% rated their company a “C” or worse for preparation to fight a cyber threat.

Here is an executive summary and a full report of the survey’s results.

second study as well revealed high anxiety among mid-size business IT professionals.

  • Over 50% of those surveyed expressed serious concern over employees bringing malware into an organization: 56% for personal webmail and 58% for web browsing.
  • 74% noted that their organization’s networks had been infiltrated by malware that was brought in by web surfing; and 64 percent via e-mail—all in the past 12 months.

The above study is supported by this study.

  • 60% of respondents believed that the greatest risk was employee carelessness.
  • 44% cited low priority given to security issues in the form of junior IT managers being given responsibility for security decisions.

The first (biggest) study above showed that about 50% of C-level management actually admitted that it was their responsibility to take the helm of improving security.

And about half of lower level employees believed that IT security staff should take the responsibility—and that they themselves, along with higher management, should be exempt.

The survey size in these studies was rather small. How a question is worded can also influence the appearance of findings. Nevertheless, a common thread seems to have surfaced: universal concern, and universal passing the buck. It’s kind of like littering the workplace but then thinking, “Oh, no problem, the custodian will mop it up.”

  • People are failing to appreciate the risk of leaving personal data on work systems.
  • They aren’t getting the memo that bringing sensitive data home to personal devices is risky.
  • Web browsing, social sharing and e-mail activities aren’t being done judiciously enough—giving rise to phishing-based invasions.

IT professionals are only as good as their weakest link: the rest of the employees who refuse to play a role in company security will bring down the ship.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

4 Best Practices for BYOD Policies

People love their mobile devices and don’t want to leave home without them. When they bring their digital device to work we call this Bring Your Own Device or BYOD.  The day after you get your new mobile phone or iPad, you’ll probably take it to work and have the IT department set it up with your email and access to the company IT network. And as more and more companies agree to this, they are also requiring you to agree to their BYOD policies as well.

  1.     There should be an acceptable mobile usage policy. These are set up by the companies CIO and telling you what you can and can’t do on your mobile device.Read the BYOD policy carefully because once you sign it your job will be on the line if you don’t abide by it.
  2.     For IT security purposes, an application will run on the mobile device that needs to be downloaded and installed. This security application will have a certificate authenticating the device with terms and conditions to connect to the company network and run yours and the companies programs.
  3.     The mobile management application will provide the enterprise the ability to remotely control your mobile and wipe data. Don’t do this if you don’t plan on agreeing to the BYOD policies
  4.     Expect the security application to have the ability to locate your mobile if it’s lost or stolen via the phones GPS, lock your phone locally within 1-5 minutes.  It will also wipe your mobile, having encryption, antivirus and a firewall to protect company data.

Bringing your own device is not a right but a privilege. If your employer doesn’t allow it there is generally a good reason. Data breaches cost thousands and in some cases millions. So if you are lucky enough to be privileged, protect that mobile device with the guidance of the IT department.

Robert Siciliano personal and small business security specialist toADT Small Business Security discussing ADT Pulse on Fox News. Disclosures

Human Security Weaker Than IT Security

Information technologies have evolved to a level at which the developers, programmers, and security specialists all know what they’re doing, and are able to produce products and services that work and are reasonably secure. Of course, there’s always room for improvement.

Despite the amount of criminal hacking that goes on, users who effectively implement the appropriate measures and refrain from risky behaviors enjoy relative security.

The Wall Street Journal reported on a study by Dartmouth’s Tuck School of Business, quoting professor Eric Johnson:

“Criminal hackers are increasingly turning to digital versions of old-fashioned con games, literally gaining the confidence of employees through innocuous-seeming phone calls purporting to be from fellow workers, or even through regular mail, in order to entice them into downloading malicious code or revealing a password. The threat of data leakage is thus highest where a human is put in a position to decide whether to click on a link or divulge important information. The [phishing] techniques have become more hybrid.”

If you are reading this, chances are you do a pretty good job with information security to prevent identity theft, at least on the consumer level. But you also need to start thinking about avoiding Jedi mind tricks. Within the security world, these cons are known as “social engineering.”

Whether you receive a phone call, an email, or a visitor at your home or office, always question those who present themselves in positions of authority.

You should never automatically place your trust in a stranger.

Within your own home or business, set clear guidelines regarding what information should or should not be shared.

Keep in mind that when you lock a door it can be unlocked, either with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face-to-face, with a cynical eye for a potential agenda.

In the end, if a bad guy has pulled the wool over your eyes, they often will want to infect your Mac or PC. Keep your computers operating systems critical security patches up to date and install a total protection product.

Robert Siciliano is an Online Security and Safety Evangelist to McAfee and Identity Theft Expert. (Disclosures)