In 2008, I managed to visit one IT company. There was some unhealthy tension in every employee. The reason turned out to be simple: mobile phones - in a box at the entrance to the office, behind the back - a camera, 2 large additional "looking" cameras at the office and control software with a keylogger. And yes, this is not the company that developed SORM or aircraft life support systems, but simply a developer of applied business software, now absorbed, crushed and no longer existing (which seems logical). If you are stretching now and think that there is definitely no such thing in your office with hammocks and M&M in vases, you can be very mistaken - just in 11 years the control has learned to be inconspicuous and correct, without showdowns for visited sites and downloaded films.
So is it really impossible without all this, but what about trust, loyalty, faith in people? Believe it or not, there are no less companies without security tools. But employees manage to mow both there and there - simply because the human factor is capable of destroying worlds, not like your company. So, where can your employees cheat?
This is not a very serious post, which has exactly two functions: to brighten up the workdays a bit and to remind you of the basic security things that are often forgotten. Oh, and once again to remind about Isn't such software the edge of security? 🙂
Let's go in random mode!
Passwords, passwords, passwords...
You talk about them and a wave of indignation rolls over: how so, how many times they told the world, but things are still there! In companies of all levels, from individual entrepreneurs to multinational corporations, this is a very sore spot. Sometimes it seems to me that if a real Death Star is built tomorrow, there will be something like admin / admin in the admin panel. So what to expect from ordinary users for whom their own VKontakte page is much more expensive than a corporate account? Here are the points to check:
- Writing passwords on pieces of paper, on the back of the keyboard, on the monitor, on the desk under the keyboard, on a sticker on the bottom of the mouse (crazy!) employees should never do this. And not because a terrible hacker will come in and download the entire 1C to a USB flash drive for lunch, but because there may be an offended Sasha in the office, who is going to quit and spoil or take the information in the end. Why not do it at the next dinner?
This is what? This thing keeps all my passwords.
- Establishment of simple passwords to enter the PC and work programs. Dates of birth, qwerty123 and even asdf are combinations that have a place in jokes and bashorg, and not in the corporate security system. Set requirements for passwords and their length, set the frequency of replacement.
Password is like underwear: change it often, don't share it with your friends, long is better, be cryptic, don't scatter it around
- By default, vendor passwords for entering the program are vicious, if only because almost all employees of the vendor know them, and if you are dealing with a web system in the cloud, it will not be difficult for anyone to get the data. Especially if you also have network security at the “do not pull the cord” level.
- Explain to employees that the password hint in the operating system should not look like “my birthday”, “daughter’s name”, “Gvoz-dika-78545-ap#1! in English." or “quarts and a one and a zero.”
My cat gives me great passwords! He walks across my keyboard
Physical Access to Cases
How do you organize access to accounting and personnel documentation (for example, to personal files of employees) in your company? Let me guess: if it’s a small business, then in the accounting department or in the boss’s office in folders on the shelves or in the closet, if it’s a big one, in the personnel department on the shelves. But if it is very large, then most likely everything is correct: a separate office or block with a magnetic key, where only certain employees have access, and in order to get there, you need to call one of them and enter this node in their presence. It's not difficult to make such protection in any business, or at least learn not to write the password for the office safe in crayon on the door or on the wall (it's all based on real events, don't laugh).
Why is it important? First, workers have a pathological desire to learn the most secret things about each other: marital status, wages, medical diagnoses, education, and so on. This is such compromising evidence in office competition. And the squabbles that will arise when the designer Petya finds out that he receives 20 thousand less than the designer Alice are completely out of your hands. Secondly, in the same place, employees can access the company's financial information (balance sheets, annual reports, contracts). Thirdly, something elementary can be lost, spoiled or stolen in order to cover up traces in one's own working biography.
Warehouse, where someone is a loss, someone is a treasure
If you have a warehouse, consider that sooner or later you are guaranteed to encounter offenders - it's just the psychology of a person who sees a large amount of products and firmly believes that a little bit of a lot is not a robbery, but a division. And a unit of goods from this heap can cost 200 thousand, and 300 thousand, and several million. Unfortunately, theft cannot be stopped by anything other than pedantic and total control and accounting: cameras, acceptance and write-off by barcodes, automation of warehouse accounting (for example, in our warehouse accounting is organized in such a way that the manager and manager can see the movement of goods in the warehouse in real time).
Therefore, arm your warehouse to the teeth, ensure physical security from an external enemy and complete security from an internal one. Employees in transport, logistics, and warehouses should be clearly aware that there is control, it works, and if they do, they will punish themselves.
*uki, do not put your hands in the infrastructure
If the story about the server room and the cleaning lady has already outlived itself and has long migrated to the tales of other industries (for example, the same one went about the mystical shutdown of the ventilator in the same ward), then the rest remain a reality. The network and IT security of a company in small and medium-sized businesses leaves much to be desired, and this often does not depend on whether you have your own system administrator or an invited one. The latter is often even better.
So, what are the employees here capable of?
- The sweetest and most harmless thing is to go to the server room, pull the wires, look, spill tea, apply dirt, or try to set something up yourself. This is especially true for “confident and advanced users”, who heroically teach their colleagues how to turn off antivirus and bypass protection on a PC and are sure that they are innate gods of the server room. In short, authorized limited access is everything.
- Theft of equipment and substitution of components. Do you love your company and have installed powerful video cards for everyone so that the billing system, CRM and everything else work perfectly? Great! Only cunning guys (and sometimes girls) will easily replace them with home ones, and at home they will drive games on a new office model - half the world will not know. The same story with keyboards, mice, coolers, UPS and everything that can be somehow replaced within the framework of an iron configuration. As a result, you bear the risk of damage to property, its complete loss, and at the same time you do not get the desired speed and quality of work with information systems and applications. Saves the monitoring system (ITSM-system) with configured configuration control), which should be supplied with an incorruptible and principled system administrator.
Maybe you want to look for a better security system? Not sure if this sign is enough
- Using your modems, access points, some kind of shared Wi-Fi makes access to files less secure and almost uncontrollable, which can be used by attackers (including in collusion with employees). And besides, the likelihood that an employee “with his own Internet” will spend working time on YouTube, humorous sites and social networks is much higher.
- Single passwords and logins for accessing the site admin panel, CMS, application software are terrible things that turn an inept or malicious employee into an elusive avenger. If you have 5 people from the same subnet under the same login/password to hang a banner, check advertising links and metrics, fix the layout and upload an update, you will never guess which of them accidentally turned CSS into a pumpkin. Therefore: different logins, different passwords, logging of actions and differentiation of access rights.
- Is it worth talking about unlicensed software that employees drag to their PC to edit a couple of photos during working hours or make up something very hobby there. Haven't you heard about the inspection of department "K" of the Central Internal Affairs Directorate? Then she comes to you!
- The antivirus should work. Yes, some of them can slow down the PC, annoy and generally seem like a sign of cowardice, but it’s better to prevent than to pay later with downtime or, worse, with stolen data.
- Operating system warnings about the dangers of installing an application should not be ignored. Today, downloading something for work is a matter of seconds and minutes. For example, Direct.Commander or AdWords editor, some SEO parser, etc. If everything is more or less clear with Yandex and Google products, then here is another picresizer, a free virus cleaner, a video editor with three effects, screenshots, Skype recorders and other “tiny programs” that can harm both an individual PC and the entire company network. Teach users to read what the computer wants from them before they call the sysadmin and say that "everything is dead." In some companies, the issue is solved simply: a lot of downloaded useful utilities lie on the network ball, and a list of suitable online solutions is also posted there.
- The BYOD policy or, conversely, the policy of allowing the use of work equipment outside the office is a very evil side of security. In this case, relatives, friends, children, public unsecured networks, etc. have access to the equipment. This is purely Russian roulette - you can walk for 5 years and it will cost you, or you can lose or spoil all documents and valuable files. Well, and besides, if the employee has malicious intent, with “walking” equipment, it’s really possible to merge data like sending two bytes. You also need to remember that employees often transfer files between their personal computers, which again can create security loopholes.
- Locking devices when you're away is a good habit in both the corporate and personal arenas. Again, it protects from curious colleagues, acquaintances and intruders in public places. It’s hard to get used to this, but at one of my places of work I had a wonderful experience: colleagues approached an unlocked PC, Paint opened up to the entire window with the inscription “Lock the computer!” and something changed in the work, for example, the last pumped build was demolished or the last introduced bug was deleted (this was a testing group). Cruel, but 1-2 times was enough even for the most wooden ones. Although, I suspect, non-IT people may not understand such humor.
- But the worst sin, of course, lies with the system administrator and management - in the event that they categorically do not use traffic control systems, equipment, licenses, etc.
This, of course, is the base, because the IT infrastructure is the very place where the farther into the forest, the more firewood. And everyone should have this base, and not be replaced by the words “we all trust each other”, “we are a family”, “but who needs it” - alas, this is for the time being.
This is the Internet, baby, they can know a lot about you
It is time to introduce safe use of the Internet into the course of life safety at school - and this is not at all about the measures that we are immersed in from the outside. This is precisely about the ability to distinguish a link from a link, to understand where is phishing and where is a scam, not to open attachments of letters with the subject “Reconciliation Act” from an unfamiliar address without understanding it, etc. Although, it seems, the schoolchildren have already mastered all this, but the employees have not. There are a lot of tricks and mistakes that can put the whole company at risk at once.
- Social networks are a section of the Internet that has no place at work, but blocking them at the company level in 2019 is an unpopular and demotivating measure. Therefore, you just need to write to all employees how to check the illegality of links, talk about the types of fraud and ask them to work at work.
- Mail is a sore point and perhaps the most popular way to steal information, plant malware, infect a PC and the entire network. Alas, many employers consider the mail client to be a cost savings and use free services that receive 200 spam emails a day, which climbs through filters, etc. And some irresponsible persons open such letters and attachments, links, pictures - apparently, they hope that the Negro prince left the inheritance to them. After that, the admin has a lot of work. Or was it meant to be? By the way, another cruel story: in one company, KPI was reduced for each spam letter to the system administrator. In general, a month later there was no spam - the practice was adopted by the parent organization, and there is still no spam. We solved this issue gracefully - we developed our own mail client and built it into our own , so all our clients also receive such a convenient feature.
The next time you receive a strange email with a paperclip, don't click on it!
- Messengers are also a source of all sorts of unsafe links, but this is a much lesser evil than mail (not counting the time spent chattering in chats).
It seems like it's all small things. However, each of these little things can have disastrous consequences, especially if your company is the target of a competitor's attack. And it can literally happen to anyone.
Chatty employees
This is the very human factor that will be difficult for you to get rid of. Employees can discuss work in the hallway, in a cafe, on the street, talk loudly about another client at a client, talk about work achievements and projects at home. Of course, the likelihood that there is a competitor behind you is negligible (if you are not in the same business center, this has happened), but the fact that a guy clearly stating business affairs will be filmed on a smartphone and posted on YouTube, oddly enough higher. But this is also bullshit. It’s not bullshit when your employees willingly present information about a product or company at trainings, conferences, meetups, professional forums, or at least on Habré. Moreover, often people specifically call the opponent to such conversations in order to conduct competitive intelligence.
Illustrative story. At one IT conference on a galactic scale, the speaker of the section laid out on a slide a complete scheme for organizing the IT infrastructure of a large company (top 20). The scheme was mega impressive, just cosmic, it was photographed by almost everyone, and it instantly flew on social networks with rave reviews. Well, then the speaker caught on geotags, stands, social. networks of those who posted and begged to be deleted, because they called him pretty quickly and said a-ta-ta. Chatterbox is a godsend for a spy.
Ignorance… releases from punishment
According to Kaspersky Lab's 2017 Global Report, among businesses that experienced cybersecurity incidents over a 12-month period, one of the ten most serious types of incidents (11%) involved careless and uninformed employees.
Don't assume that employees know everything about corporate security measures, be sure to warn them, provide training, make interesting periodic mailings about security issues, hold pizza meetings and clarify issues again. And yes, a cool life hack - mark all printed and electronic information with color, signs, inscriptions: trade secret, secret, for official use, general access. It really works.
The modern world has put companies in a very delicate position: it is necessary to strike a balance between the desire of an employee at work not only to plow, but also to receive entertainment content in the background / during breaks, and strict corporate security rules. If you turn on hypercontrol and moronic tracking programs (yes, it’s not a typo - this is not security, it’s paranoia) and cameras behind your back, then employees’ trust in the company will fall, and maintaining trust is also a corporate security tool.
Therefore, know when to stop, respect employees, make backups. And most importantly - prioritize safety, not personal paranoia.
If you need and compare their capabilities with your goals and objectives. If you have any questions or difficulties, write or call, we will organize an individual online presentation for you - without ratings or bells and whistles.
, in which, without advertising, we write not quite formal things about CRM and business.
Source: habr.com