I will not break a news if I say that cyber criminals enter your systems through the user route. While IAM technology is effective in protecting the systems and processes, what is beyond the shield of technology is human fail-ability and intentional trickery.
For example, what to do when:
- An employee (users) has lost his mobile phone, given that it was synced with confidential company applications – case of human fail-ability.
- An employee utilized a co-worker’s workstation to pull out sensitive information – a case of intentional trickery.
Now if I were to ask you to get your mind running and bring more such scenarios in light, you will do that. In case you are into IT security, HR or office administration you must have been well involved in trying to find a way out of such threats. Those cases could involve employees, customers, clients, vendors, partners – who let a little slip past them and left the organizational IT systems vulnerable!
There were news about companies crafting policies in favor of sacking employees who failed to inform IT admin about a lost devices within 24 hours. Harsh move, isn’t it? Being in management or administrative IT, you must be thinking about how to stop such slips. Simplistic approach is to discourage it?
Here are some points to keep in perspective while enforcing IT security policies:
- IT Admin shout fire in my pant whenever mobile security is being questioned. Why? Because a smart phone in the hands of someone who does not understand the threats of losing corporate information will only open floodgates of opportunities for unscrupulous elements. How to sort that – enforce password protected mobile devices, enforce policies and make sure that you communicate those policies well!
- Do not go easy on security practices for storing ids and passwords which can be accessed by others. This includes scribbling on a note pad, sticking on sticky note or storing it on mobile device. Best is to go the Single-Sign-On route, which will be a convenient option for users.
- Don’t let the users be comforted with being lazy – make them change their password. Technology allows Admin IT to setup prompts to make users change default passwords and change them frequently. Default passwords are easy to guess, it left unchanged they can be a gateway for cyber criminals to enter your premises.
- Stolen data is a huge liability, better to invest in enlightening and educating your users. Tell them about the bad cyber world and words – Phissing, vishing and similar cyber traps. A message form finance department asking them to provide confidential details in a reply is a strict no-no!
- An enemy within is a dangerous element. Testing the limits of loss in case of an insider who is leaking information is tough. It is hard to confront because the leaked information might not be traceable or hard to be documented. It becomes an issue of principles than mere technology. It is better to keep notifications activated when an employee suddenly accesses new set of information.
It is suggested to undertake steps by creating relevant check points, notifications activated, education and learnings.