Losing an employee is not usually a good experience. If they leave voluntarily, you lose a valuable asset. If they have to be fired, you have the arduous task of the progressive discipline process and the final termination meeting. But there are other concerns that arise when an employee leaves. Those concerns are security and their access to company data.
Here are some considerations regarding passwords and voluntary termination (A.K.A. resigned) or involuntary termination (A.K.A. fired.) It is important you have a process in place so that whenever a termination occurs, nothing slips through the cracks regarding corporate data security.
When you dismiss an employee, you should immediately change out all passwords for anything the employee had access to. Because almost all terminations should be planned, you should also define the process for canceling access. It is unwise to cancel prior to the termination meeting. If you do that, you create the potential for a confrontation when they arrive at work and find their passwords have been disabled. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.
Voluntary terminations - Different firms have different policies handling resignations. Depending on the specific position, an employee will be permitted to continue working during their 2 week notice period. In that case, you need to consider if there is any possibility the employee might get up to no good during the final days. That is something only you can judge.
In some cases, firms will ask an employee to leave the facility immediately. In that case, you need to have a plan in place. You need to have a list available of all of the restricted systems to which they have access for when this situation arises. The employee should not leave the building until all of their access has been canceled.
This all may seem a bit harsh, but things have changed. 30 years ago, for a disgruntled employee to steal files, they’d be carrying out large boxes of file folders. Now, not only can they empty the building onto a thumb drive, they can take nefarious action that wasn’t possible when data was stored on paper.
In our last blog we started talking about the different layers of security necessary to fully defend your data and business integrity. Today we will look at the human aspect of it, and network defenses. The human layer refers to the activities that your employees perform. 95% of security incidences involve human error. Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are “assuming their employees know internal security policies: and “assuming their employees care enough to follow policy”.
Here are some ways Hackers exploit human foibles:
Guessing or brute-force solving passwords
Tricking employees to open compromised emails or visit compromised websites
Tricking employees to divulge sensitive information
For the human layer, you need to:
Enforce mandatory password changes every 30 to 60 days, or after you lose an employee
Train your employees on best practices every 6 months
Provide incentives for security conscious behavior.
Distribute sensitive information on a need to know basis
Require two or more individuals to sign off on any transfers of funds,
Watch for suspicious behavior
The network layer refers to software attacks delivered online. This is by far the most common vector for attacks, affecting 61% of businesses last year. There are many types of malware: some will spy on you, some will siphon off funds, some will lock away your files.
However, they are all transmitted in the same way:
Spam emails or compromised sites
“Drive by” downloads, etc.
To protect against malware
Don’t use business devices on an unsecured network.
Don’t allow foreign devices to access your wifi network.
Use firewalls to protect your network
Make your sure your WiFi network is encrypted.
Use antivirus software and keep it updated. Although it is not the be all, end all of security, it will protect you from the most common viruses and help you to notice irregularities
Use programs that detect suspicious software behavior
The mobile layer refers to the mobile devices used by you and your employees. Security consciousness for mobile devices often lags behind consciousness about security on otherplatforms, which is why there 11.6 million infected devices at any given moment.
There are several common vectors for compromising mobile devices
To protect your mobile devices you can:
Use secure passwords
Use reputable security apps
Enable remote wipe options.
Just as each line of defense would have been useless without an HQ to move forces to where they were needed most, IT defense-in-depth policy needs to have a single person, able to monitor each layer for suspicious activity and respond accordingly.
In the 1930s, France built a trench network called the Maginot Line to rebuff any invasion. The philosophy was simple: if you map out all the places an enemy can attack, and lay down a lot of men and fortifications at those places, you can rebuff any attack. The problem is, you can’t map every possible avenue for attack.
What does this have to do with IT security? Today many business owners install an antivirus program as their Maginot Line and call it a day. However there are many ways to get into a network that circumvent antivirus software.
Hackers are creating viruses faster than antivirus programs can recognise them (about 100,000 new virus types are released daily), and professional cybercriminals will often test their creations against all commercially available platforms before releasing them onto the net.
Even if you had a perfect antivirus program that could detect and stop every single threat, there are many attacks that circumvent antivirus programs entirely. For example, if a hacker can get an employee to click on a compromised email or website, or “brute force guess” a weak password, all the antivirus software in the world won’t help you.
There several vulnerabilities a hacker can target: the physical layer, the human layer, the network layer, and the mobile layer. You need a defense plan that will allow you to quickly notice and respond to breaches at each level.
The physical layer refers to the computers and devices that you have in your office. This is the easiest layer to defend, but is exploited surprisingly often.
Here are a few examples:
Last year 60% of California businesses reported a stolen smartphone and 43% reported losing a tablet with sensitive information.
The breaches perpetrated by Chelsea Manning and Edward Snowden occurred because they were able to access devices with sensitive information.
For example, Comptia left 200 USB devices in front of various public spaces across the country to see if people would pick a strange device and insert into their work or personal computers. 17% fell for it.
For the physical layer, you need to:
Keep all computers and devices under the supervision of an employee or locked away at all times.
Only let authorized employees use your devices
Do not plug in any unknown USB devices.
Destroy obsolete hard drives before throwing them out
Next time in Part II, we will talk about the human and network layers of security.
There are some things that only people can fix. There are many security risks to which your data is susceptible, but there is one method that remains a wonderfully effective hacking tool. That is the phishing scam. This is a legitimate looking email that asks the reader to click on a link. If clicked, the link can infect the user’s computer with malicious software that can steal passwords, logins, and other critical data. Alternatively, the email appears to be from a legitimate source, perhaps even duplicating a legitimate webpage. The distinction is that the phishing email asks the user to enter personal information, including passcodes. In either case, that is how hackers easily get into your systems.
What’s the best defense against this one? The single biggest defense is education. Training your people to be constantly wary of all the emails they receive. One way some firms are educating their people is by sending out their own “fake” phishing scams. Employees who click on the link inside are greeted with a notice that they’ve fallen for a phishing scam and then are offered tips how not to be fooled in the future. Think of it as the hi-tech version of Punk’d.
You may not be ready to go that far, but it is important to provide ongoing training to all of your staff about phishing scams. Your staff are all critical factors in your data security plans.