Now firmly into autumn and back to normal, it’s time to review your company’s cyber security practices after the summer break has been and gone. Although a lot of people have returned back to the office, in today’s 24/7 connected world most people were still checking email and in work mode from their sun loungers. A recent survey of 1200 managers by the Institute of Leadership & Management revealed that over half (54%) felt compelled to work while on annual leave, with nearly three quarters (71%) reading and responding to emails and nearly a third (31%) taking phone calls.The blurring of work / life on holiday particularly with the emergence of BYOD means that there needs to be regular reminders as to why information needs to be protected and the consequences of not doing so correctly.
Educating employees…
1. Hold a company security workshop to remind employees of security policies at work, concerning both company devices and work devices. For those that can’t attend, ensure that a clear and precise internal note is displayed, with the correct procedures. Try to build a culture which cares about information and its security.
2. For employees that are now used to changing between office devices and personal devices for work use, it’s important for to implement passwords for access to the device.
3. Use encryption to protect data where possible.
4. Educate your staff about the pros and cons of their devices and the risks of BYOD to the organization and its data; educate staff on best practice.
5. It’s important employees are aware that company documents should not be transferred to personal devices and that this could be a breach of policy. If BYOD is permitted in a company, then it’s important that those personal devices are kept out of reach and secure from non-employees. The most common ‘denial of service’ attack on BYOD devices (where hackers attempt to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet) is children trying to guess the password for the device… which results in it wiping itself!
6. Draw up a list of smartphone and tablet apps that are good and bad for work. Explain why the ones that are ‘bad’ are not so good, for example automatic backing up of data to ‘the cloud’ could result in an organisation data leak from ‘the cloud’.
Company changes…
1. Have a remote wipe capability in place if possible for all mobile devices, and/or set the device policy to wipe the data after a number of failed password entry attempts. Ensure there is a well-known process around dealing with lost devices – and that employees know who to go to should the event occur. Ensure there is a policy and a process to deal with removing corporate information from BYOD systems when an employee leaves.
2. Make your IT department open and available to employees who want help with their own devices (BYOD) as well as their work devices.
3. If allowing BYOD, ensure that there are policies in place governing areas such as lost or broken devices. (You don’t want key workers unable to work because their device has failed or has been lost.
4. While information security policies must be written and communicated, they also need to be enforced. When reviewing policies review enforcement solutions as well. Are there changes needed? For example there is increasing requirements for email encryption and for Data Loss Prevention (DLP) – does your current solution meet your needs, or do you need to consider augmenting or replacing it.
