Now that we’ve realized that the weakest part of our cyber security defense is the end user, what to do? Phishing testing, certainly. Training videos and meetings. But wait, there’s more!
Most organizations have an appropriate use policy that is presented to employees at onboarding and is usually close at hand for reference. Some organizations make employees sign that they’ve read it and will comply. In any case, onboarding is a great teachable moment, because the new hires are trying to figure out what to do (and they still want to please you).
This is a great place to educate them about good security practices. It also doesn’t hurt that it’s the organization’s policy, blessed by top management.
This is the best place to state than any content stored or processed by the organization’s IT systems is the company’s property, and users have no right to privacy on the organization’s systems. This is not only important when issues of inappropriate content arise, but it also permits IT to get into any user’s system whenever necessary, such as to keep malware from spreading or to get rid of it.
Many security procedures can go in, too, but here I’m only going to cover three: mobile device practices, email, and password protection. Maybe I’ll do another post on more practices, but life is short.
1. PIN or password-protect your mobile device. This is obvious, but it’s amazing how many people don’t do it until they’re told.
2. Use as strong a PIN or password as possible.
3. Encrypt the device. This happens automatically with iPhone when you set a password. For Android, you must do something like “Settings > Security > Encrypt phone.”
4. Turn off Bluetooth, Wi-Fi, and GPS when not in use and use only trusted Wi-Fi connections.
5. Update the operating system and apps as soon as possible to get up-to-date security patches.
6. Report lost or stolen mobile devices immediately.
7. Devices will be wiped of organization-facing applications on offboarding.
1. Always exercise caution when writing email using an organizational account. (A basic rule of thumb is never to say anything in email that you would be embarrassed to see on the front page of the New York Times or on Fox News.)
2. Be diligent about confirming the identity of the sender, before opening attachments or clicking on links in messages.
3. Do not send personally identifiable information (PII) through email.
4. Never reveal confidential information or release valuable assets in response to an email or telephone request.
1. Do not share passwords with anyone, including administrative assistants, secretaries, managers, co-workers while on vacation, and family members.
2. All passwords are to be treated as confidential organization information.
3. Passwords must not be inserted into email messages or other forms of electronic communication.
4. Passwords must not be revealed over the phone to anyone.
5. Do not reveal a password on questionnaires or security forms.
6. Do not hint at the format of a password (for example, “my family name”).
7. Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile device (phone, tablet) without encryption.
8. Do not use the “Remember Password” feature of applications (for example, web browsers).
9. Any user suspecting that their password may have been compromised must report the incident and change all passwords.
10. The use of password managers (e.g. LastPass, Dashlane, RoboForm) is recommended.
I deliberately did not include language about password creation or password change. These should be in the Appropriate Use Policy, but procedures are in transition now, so plug in your own. In general, the trend is to longer but more memorable passphrases, using Multi-Factor Authentication, and changing passwords less frequently.
I realize that rewriting the Appropriate Use Policy is about as popular as documenting your code, painting your house, or getting your middle-schooler to do chores. Trust me, however, it’s worth it.