What should staff know about data protection? Part 2

Any company wants to secure its data. However, many business owners forget that the greatest threat to information is the “human factor” — employees. To minimize the risks of leakage, it is enough to implement personnel control systems and regularly conduct educational work that will allow employees to understand the full extent and degree of responsibility for the safety of information assets. And it is important not just to “talk and disperse”, but to fix the key points on paper, undersigned receipt.

In the previous article, we talked about the main nuances of using office equipment and software. Today we will continue this topic.

Complex passwords

Attackers can sleep in peace, while the most popular username-password combination is “admin/12345”. As soon as the company’s employees are able to choose their own access codes, the security system is immediately threatened. After all, not everyone is able to invent and remember a combination of 16 characters in different registers.

Even if the security service comes into play, distributing complex passwords, you can not escape from the usual human carelessness: sheets of codes are glued directly to the monitor and anyone can immediately log in using someone else’s profile.

A number of rules implemented in the company will help reduce the risks:

• Passwords must contain 8 characters or more.
• Employees should not pass access codes to their colleagues without the permission of management.
• Passwords must be changed once a quarter or more often.
• Pieces of paper with codes absolutely can not be left in accessible places for viewing.

Phishing

Today, most attacks start with phishing. The danger may be hidden in emails, messages in messengers or attached files. To minimize risks, employees need to:

• If you receive unexpected emails with an attachment, contact the sender by phone and check whether he is really the author of the message.
• Do not click on suspicious links.
• Do not run executable files from attachments.
• Forward suspicious messages to higher-level management or the security service.

However, even compliance with all the rules does not guarantee absolute protection. At the moment, the only effective way to counter phishing is to monitor user behavior around the clock. Unfortunately, the means of masking dangerous correspondence have reached such a level that even a competent person is not always able to recognize the “fake”.

It is much better to trust a security system with an analytical apparatus. It will be able to predictively identify security bottlenecks and detect the most trusting employees, whose actions can lead to serious problems.

Walking in the Internet

In the Internet, there are millions of sites that can deliver a powerful blow, both to the security system and to the company’s reputation. The “ban all” option stopped working a long time ago. The locks do not keep up with the dangerous resources that appear daily. And cunning users quickly figure out how to bypass them.

The most sensible solution is to constantly monitor web surfing, and introduce personal responsibility of employees for incorrect and dangerous walks in the Internet:

Working hours are paid for by the business owner. Accordingly, visits to entertainment sites can be controlled by the employer without notifying the staff.

• Downloading software or installing extensions without notifying the system administrator is not allowed.
• Viewing illegal content is a blow to the company’s image.

Control and monitoring web surfing is not a whim. Thoughtless publications on forums and social networks can cause irreparable image damage. Correspondence in messengers can become a source of data leakage. And downloading “adult” content is a great reason to initiate criminal cases. During the working day, the company is fully responsible for the actions of the staff. As a result, business not only has the moral right to demand that employees comply with discipline and the Criminal Code, but also to monitor the implementation of these norms in every possible way.

Computer monitoring

The analysis of the activity of the staff is not a Cerberus, constantly monitoring the employees. In most situations, this is a bodyguard protecting responsible staff from negligent colleagues.
Think about it, do you often log out of your accounts and turn off your computer when you go on a break? This is regularly used by insiders, pumping out gigabytes of information with the help of other people’s PCs. Security systems with keyboard handwriting analysis, such as Mirobase, will be able to quickly detect a “substitution” of the user and identify the real “mole”.

Data Analysis

Every employee sends dozens or even hundreds of various documents every day, and the manager does not always know what their future fate is. What if some of the important files have already gone “left”?

Interception of information and analysis of deviations is one of the key elements of preventing information leaks.

Employees must understand and realize that all the developments made in the time paid by the company are the intellectual property of the employer. The assignment of content, its unauthorized sending to third parties, even storage in a personal “cloud” or on private mail, is a serious violation. The employer has the right to fix such rules in the employment agreement and conduct round-the-clock monitoring of their implementation.

The “human factor” will remain the main threat to the safety of valuable commercial information for a long time to come. Nowadays, the training of personnel, the legally established responsibility of the parties and software packages that allow monitoring the implementation of information security standards and rules help to minimize risks.