What should staff know about data protection? Part 1
Information security is the key to a successful business. Any data leak or failure in the operation of the enterprise network inevitably leads to serious negative consequences. However, in most companies, the means of protection exist separately from the staff. Employees are busy with their own business and have no idea about the basic rules that allow for preventing risky situations. At the same time, security systems are focused on working with problems that have already arisen to be successful and are unsuitable for the preventive elimination of threats.
In order for these worlds to meet, and the head can sleep peacefully, it is necessary to follow two simple steps. Firstly, make sure that there are software tools that allow you to track not only the dangers “from the outside”, but also respond to the “internal threat”. And, secondly, engage in educational work. The “human factor” is the cause of the vast majority of leaks. And it’s not about the evil intent of the company’s employees. Many of them do not even suspect that their actions endanger the business.
Staff training helps to minimize risks, and the signed agreement establishes the areas of responsibility of the “employer-employee” pair. The main thing for a manager is to focus attention correctly.
A corporate computer is not equal to a personal computer
Most employees do not spend the night after night in heavy thoughts about what they can do on a corporate laptop, and what they can not. They simply use it is thought to be suitable, undersigned unless they have previously been given other introductions. The task of the business owner is to clearly describe “what is good and what is bad” and it is desirable to fix it on paper, undersigned receipt. Moreover, such actions should not be carried out on a one-time basis, when applying for a job, but become an annual practice. This will not only increase the level of information security but also provide legal support in the event of an emergency.
The main theses that need to be informed on each employee of the company:
- Corporate PCs are the property of the business. Only heads have the right to transfer access to equipment, usernames, and passwords, as well as change the configuration of “hard” and “soft”.
- The concept of “privacy” does not apply to equipment purchased at the expense of the employer. Representatives of the company have the full right to read e-ail, correspondence in messengers, or to monitor the user’s actions even without notifying him.
- It is unacceptable to perform illegal or unethical actions on corporate PCs.
- The management of the company has the right to reset or change the passwords set by the employee at any time without notifying him.
- It is not allowed to use laptops excessively for personal purposes, if the actions of the staff do not threaten the business. The framework for such activities is always determined by the employer.
In American practice, such rules are a help in court cases, and their violation is a reason for punitive sanctions and dismissal.
Patches
Does antivirus again offer to install the update? Why, if everything works fine anyway. Laziness or a banal lack of understanding of the importance of software updates regularly leads to serious information incidents. That is why the employer should include a kind of “patch management” in the document flow, regulating the responsibility of the staff for the late installation of “patches”:
- All critical security updates must be installed within a week of release.
- You can’t install updates or programs from suspicious sites.
- If the installed software or its update causes malfunctions – it is necessary to notify the system administrator or any other responsible person as soon as possible.
These simple techniques will significantly increase the level of corporate security. However, this is not a complete list of threats that the employer needs to inform subordinates about.
Any company wants to secure its data. However, many business owners forget that the greatest threat to information is the “human factor” — employees. To minimize the risks of leakage, it is enough to implement personnel control systems and regularly conduct educational work that will allow employees to understand the full extent and degree of responsibility for the safety of information assets. And it is important not just to “talk and disperse”, but to fix the key points on paper, under signed receipt.
In the previous article, we talked about the main nuances of using office equipment and software. Today we will continue this topic.
Complex passwords
Attackers can sleep in peace, while the most popular username-password combination is “admin/12345”. As soon as the company’s employees are able to choose their own access codes, the security system is immediately threatened. After all, not everyone is able to invent and remember a combination of 16 characters in different registers.
Even if the security service comes into play, distributing complex passwords, you can not escape from the usual human carelessness: sheets of codes are glued directly to the monitor and anyone can immediately log in using someone else’s profile.
A number of rules implemented in the company will help reduce the risks:
- Passwords must contain 8 characters or more.
- Employees should not pass access codes to their colleagues without the permission of management.
- Passwords must be changed once a quarter or more often.
- Pieces of paper with codes absolutely can not be left in accessible places for viewing.
Phishing
Today, most attacks start with phishing. The danger may be hidden in emails, messages in messengers or attached files. To minimize risks, employees need to:
- If you receive unexpected emails with an attachment, contact the sender by phone and check whether he is really the author of the message.
- Do not click on suspicious links.
- Do not run executable files from attachments.
- Forward suspicious messages to higher-level management or the security service.
However, even compliance with all the rules does not guarantee absolute protection. At the moment, the only effective way to counter phishing is to monitor user behavior around the clock. Unfortunately, the means of masking dangerous correspondence have reached such a level that even a competent person is not always able to recognize the “fake”.
It is much better to trust a security system with an analytical apparatus. It will be able to predictively identify security bottlenecks and detect the most trusting employees, whose actions can lead to serious problems.
Walking in the Internet
In the Internet, there are millions of sites that can deliver a powerful blow, both to the security system and to the company’s reputation. The “ban all” option stopped working a long time ago. The locks do not keep up with the dangerous resources that appear daily. And cunning users quickly figure out how to bypass them.
The most sensible solution is to constantly monitor web surfing, and introduce personal responsibility of employees for incorrect and dangerous walks in the Internet:
- Working hours are paid for by the business owner. Accordingly, visits to entertainment sites can be controlled by the employer without notifying the staff.
- Downloading software or installing extensions without notifying the system administrator is not allowed.
- Viewing illegal content is a blow to the company’s image.
Control and monitoring web surfing is not a whim. Thoughtless publications on forums and social networks can cause irreparable image damage. Correspondence in messengers can become a source of data leakage. And downloading “adult” content is a great reason to initiate criminal cases. During the working day, the company is fully responsible for the actions of the staff. As a result, business not only has the moral right to demand that employees comply with discipline and the Criminal Code, but also to monitor the implementation of these norms in every possible way.
Computer monitoring
Employee activity analysis is not a Cerberus that constantly monitors employees. In most situations, this is a bodyguard who protects responsible staff from negligent colleagues.
Think about it, do you often log out of your accounts and turn off your computer when you go on a break? This is regularly used by insiders, pumping out gigabytes of information with the help of other people’s PCs. Security systems with the analysis of keyboard handwriting, such as “Mirobase”, will be able to quickly detect the “substitution” of the user and establish the identity of the real “mole”.
Data Analysis
Every employee sends dozens or even hundreds of various documents every day, and the head does not always know what their future fate is. What if some of the important files have already gone “left”?
Interception of information and analysis of deviations is one of the key elements of preventing information leaks.
Employees must understand and realize that all the developments made in the time paid by the company are the intellectual property of the employer. The assignment of content, its unauthorized sending to third parties, even storage in a personal “cloud” or on private mail, is a serious violation. The employer has the right to fix such rules in the employment agreement and conduct round-the-clock monitoring of their implementation.
The “human factor” will remain the main threat to the safety of valuable commercial information for a long time to come. Nowadays the training of personnel, the legally established responsibility of the parties and software packages that allow monitoring the implementation of information security standards and rules help to minimize risks.
Leave a Reply
Want to join the discussion?Feel free to contribute!