Viewing entries in
Managed Services

You’re Fired! Now Give Me Your Password

You’re Fired! Now Give Me Your Password

Losing an employee is not usually a good experience. If they leave voluntarily, you lose a valuable asset. If they have to be fired, you have the arduous task of the progressive discipline process and the final termination meeting. But there are other concerns that arise when an employee leaves. Those concerns are security and their access to company data.

Here are some considerations regarding passwords and voluntary termination (A.K.A. resigned) or involuntary termination (A.K.A. fired.) It is important you have a process in place so that whenever a termination occurs, nothing slips through the cracks regarding corporate data security.

  1. When you dismiss an employee, you should immediately change out all passwords for anything the employee had access to. Because almost all terminations should be planned, you should also define the process for canceling access. It is unwise to cancel prior to the termination meeting. If you do that, you create the potential for a confrontation when they arrive at work and find their passwords have been disabled. Instead, plan ahead and assign someone to disable their passwords during the time you are having the termination meeting. Before the meeting, be sure you have a list of all access cards, keys, etc. prepared so they can be cancelled before the employee leaves the building.
  2. Voluntary terminations ­- Different firms have different policies handling resignations. Depending on the specific position, an employee will be permitted to continue working during their 2 week notice period. In that case, you need to consider if there is any possibility the employee might get up to no good during the final days. That is something only you can judge.

In some cases, firms will ask an employee to leave the facility immediately. In that case, you need to have a plan in place. You need to have a list available of all of the restricted systems to which they have access for when this situation arises. The employee should not leave the building until all of their access has been canceled.

This all may seem a bit harsh, but things have changed. 30 years ago, for a disgruntled employee to steal files, they’d be carrying out large boxes of file folders. Now, not only can they empty the building onto a thumb drive, they can take nefarious action that wasn’t possible when data was stored on paper.

IT Defense In Depth Part I

IT Defense In Depth Part I

In the 1930s, France built a trench network called the Maginot Line to rebuff any invasion. The philosophy was simple: if you map out all the places an enemy can attack, and lay down a lot of men and fortifications at those places, you can rebuff any attack. The problem is, you can’t map every possible avenue for attack.

What does this have to do with IT security? Today many business owners install an antivirus program as their Maginot Line and call it a day. However there are many ways to get into a network that circumvent antivirus software.

Hackers are creating viruses faster than antivirus programs can recognise them (about 100,000 new virus types are released daily), and professional cybercriminals will often test their creations against all commercially available platforms before releasing them onto the net.

Even if you had a perfect anti­virus program that could detect and stop every single threat, there are many attacks that circumvent anti­virus programs entirely. For example, if a hacker can get an employee to click on a compromised email or website, or “brute force guess” a weak password, all the antivirus software in the world won’t help you.

There several vulnerabilities a hacker can target: the physical layer, the human layer, the network layer, and the mobile layer. You need a defense plan that will allow you to quickly notice and respond to breaches at each level.

The physical layer refers to the computers and devices that you have in your office. This is the easiest layer to defend, but is exploited surprisingly often.

Here are a few examples:

  • Last year 60% of California businesses reported a stolen smartphone and 43% reported losing a tablet with sensitive information.
  • The breaches perpetrated by Chelsea Manning and Edward Snowden occurred because they were able to access devices with sensitive information.
  • For example, CompTIA (https://www.comptia.org) left 200 USB devices in front of various public spaces across the country to see if people would pick a strange device and insert into their work or personal computers. 17% fell for it.

For the physical layer, you need to:

  • Keep all computers and devices under the supervision of an employee or locked away at all times.
  • Only let authorized employees use your devices
  • Do not plug in any unknown USB devices.
  • Destroy obsolete hard drives before throwing them out

Next time in Part II, we will talk about the human and network layers of security.

95% of all Security Incidents Involve Human Error

95% of all Security Incidents Involve Human Error

Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are "assuming their employees know internal security policies" and "assuming their employees care enough to follow policy."

To avoid falling into these traps, you must: a) Have a plan, b) Educate users about your plan, and c) Make them care about procedures.

To give a quick summary, you need to have a defense plan for each of the layers that a hacker can attack: the physical layer (i.e. you need policies to ensure that only authorized personnel can access your devices), the network layer (i.e. make sure that only authorised devices access your network, and your devices only access authorized networks), and the human layer (i.e. you should make your employees practice good password hygiene, and are aware of security threats).

You should train employees on your security and disaster recovery policies at least twice year, and your IT person should keep your employees up-to-date on security issues on a weekly basis. Make sure that they understand the risks of a breach.

Most importantly you need to create a "culture of security," where employees go beyond the minimum guidelines laid down by your IT staff and always ask "is this good security sense" for every action they take. You need to have clearly defined penalties for those who practice bad security, and reward those who display good security sense.