They're your most
valuable assets. But your employees also pose the greatest
security threat to your company. Whether they're posting company
secrets on Net discussion boards (inadvertently or
deliberately), leaving passwords written down on scraps of paper
by their PCs, or just forgetting to back up critical files, your
people could be the biggest hole in your company's armor.
According to the Internet Security Task Force, as much as 70
percent of business computer-security breaches are internal. And
Cisco's Secure Consulting division found that it could crack an
average of 53 percent of all passwords it obtained by hacking
its customers' networks.
It's up to you to
make sure your employees know that e-mail messages and
discussion board postings live forever: They should never e-mail
or post online any information about your business that's
private or proprietary. Working stiffs have been sued by the
government, by outraged stockholders, and by their employers for
inopportune electronic postings—and it doesn't matter if their
comments about the company are good, bad, or indifferent.
A thornier
problem is user IDs and passwords. Some people at your company
might post this information on sticky notes attached to their
computer monitors. (The sly ones put the notes inside the top
desk drawer.) There's a reason: In many offices, the rules for
passwords are so strict—or employees have so many of them to
memorize—that it's impossible to keep it all in their heads.
Start by letting
employees choose their passwords. Ask them to select two
easy-to-remember words or letter combinations separated by a
number or punctuation mark. Reduce the number of passwords
employees need to get their jobs done. Most important, make
assigning and changing passwords as easy as possible so
employees can refresh them regularly. And of course remind them
they should never give passwords over the phone, even if they
think they're talking to someone in the IT department.
Dial-up modems on
PCs attached to your network pose another problem. If your
company's server gets slow during high traffic times,
enterprising workers are likely to use built-in modems and dial
up instead. It's the perfect opportunity for crackers to break
into your network, and it's easy for them to do if there's no
personal firewall installed on the break-away computer. The best
way to plug this hole is to ban the use of dial-up connections.
Better yet, don't supply desktop PCs with dial-up modems
installed. It saves you a few bucks and ensures that your
employees don't unwittingly set you up for a break-in.
On Your
Guard
The Internet Security Task Force, a consortium formed by
Computer Associates, maintains a comprehensive
collection of suggestions for companies operating on the
Internet (www.ca.com).
Sign up for free newsletters from the System
Administration, Networking and Security Institute (www.sans.org)
for key cross-platform security warnings and advice.
Additional information for e-commerce protection from
the U.S. government: the Federal Computer Incident
Response Center (www.fedcirc.gov)
and the FBI's National Infrastructure Protection Center
(www.nipc.gov) |
