Corporate insecurity

    In 2008, I managed to visit one IT company. An unhealthy tension was read in each employee. The reason was simple: mobile phones - in a box at the entrance to the office, behind - a camera, 2 large additional “looking” cameras at the office and monitoring software with a keylogger. And yes, this is not the company that developed SORM or aircraft life support systems, but just an application business software developer, now absorbed, crushed and no longer existing (which seems logical). If you just reached out and think that your office with hammocks and M&M in vases is definitely not there, you can be very mistaken - it’s just that in 11 years control learned to be invisible and correct, without disassembling the sites visited and movies downloaded.

    So is it really impossible without all this, but what about trust, loyalty, faith in people? Do not believe it, but companies without security are no less. But employees manage to squint both there and there - simply because the human factor is capable of destroying worlds, not like your company. So, where can your employees wake up? This is not a very serious post, which has exactly two functions: brighten up workdays a bit and remind you of the basic things in safety, which are often forgotten. And, well, once again remind you of a cool and secure CRM-system - is such software not a safety edge? :-) We drove in random mode!

    Passwords, passwords, passwords ...

    You talk about them and a wave of indignation sets in: how so, how many times they repeated to the world, and things are still there! In companies of all levels, from private entrepreneurs to transnational corporations, this is a very sore spot. It sometimes seems to me that if tomorrow they build a real Death Star, there will be something like admin / admin in the admin panel. So what to expect from ordinary users for whom their own VKontakte page is much more expensive than corporate accounting? Here are the points to check:

    • Writing passwords on pieces of paper, on the back of the keyboard, on the monitor, on the table under the keyboard, on the sticker on the bottom of the mouse (quirky!) - employees should never do this. And not because a terrible hacker comes in and downloads all 1C to a USB flash drive during lunch, but because Sasha may be offended at the office, who is going to quit and give a shit or pick up information for the last time. Why not do it at regular lunch?

    It `s that? This thing stores all my passwords.

    • Setting simple passwords for entering the PC and working programs. Dates of birth, qwerty123 and even asdf are combinations that have a place in jokes and on bashorgh, and not in the corporate security system. Set requirements for passwords and their length, set the frequency of replacement.

    Password is like underwear: change it more often, don’t share it with your friends, long is better, be mysterious, don’t scatter everywhere

    • The vendor’s passwords for entering the program by default are flawed, if only because almost all the vendor’s employees know them, and if you are dealing with a web-based system in the cloud, it will not be difficult for anyone to get the data. Especially if you also have network security at the level of "do not pull out the cord."
    • Explain to employees that the password hint in the operating system should not look like “my birthday”, “daughter’s name”, “Gvoz-dika-78545-up # 1! in English. ”or“ quarti and one with zero ”.    

    My cat gives me great passwords! He walks on my keyboard

    Physical access to business

    How do you organize access to accounting and personnel documentation (for example, to the personal files of employees) in your company? Let me guess: if it’s a small business, then in the accounting department or in the boss’s office in folders on shelves or in the closet, if large, in the personnel department on the shelves. But if it’s very large, then most likely everything is correct: a separate office or a block with a magnetic key, which only individual employees have access to and to get there, you need to call one of them and go to this node in their presence. There is nothing complicated in making such protection in any business, or at least learning not to write the password for the office safe with the chalk on the door or on the wall (everything is based on real events, do not laugh).

    Why is it important? Firstly, workers have a pathological craving to learn the most secret about each other: marital status, wages, medical diagnoses, education, etc. This is such incriminating evidence in office competition. And you are not at all happy with the squabbles that will arise when designer Petya finds out that he gets 20 thousand less than designer Alice. Secondly, in the same place employees can get access to the financial information of the company (balances, annual reports, contracts). Thirdly, something elementary can be lost, damaged or stolen in order to cover up the traces in your own labor biography.

    Warehouse, where someone has a loss, someone - a treasure

    If you have a warehouse, consider that sooner or later you are guaranteed to run into offenders - just like that, the psychology of a person who sees a large volume of products and firmly believes that a little from a lot is not robbery, but sharing. A unit of goods from this heap can cost 200 thousand, and 300 thousand, and several million. Unfortunately, theft cannot be stopped by anything other than pedantic and total control and accounting: cameras, receiving and debiting by bar codes, automation of inventory accounting (for example, in our RegionSoft CRM, inventory accounting is organized in such a way that the manager and supervisor can see movements goods in stock in real time).

    Therefore, arm your warehouse to the teeth, ensure physical security from the external enemy and complete security - from the internal. Employees in transport, in logistics, in the warehouse must clearly realize that there is control, it works and just that they will punish themselves.

    * uki, do not put your hands on the infrastructure

    If the story about the server room and the cleaning woman has already outlived itself and has long migrated to the bikes of other industries (for example, the same story went about the mystical shutdown of mechanical ventilation in the same room), then the rest remain a reality. Network and IT security companies in small and medium-sized businesses leave much to be desired, and this often does not depend on whether you have a system administrator or an invitee. The latter often does even better.

    So what are the employees here capable of?

    • The sweetest and most harmless is to go to the server room, pull the wires, see, spill tea, apply dirt or try to configure something yourself. This is especially true for “confident and advanced users” who heroically teach their colleagues to disable antivirus and bypass protection on a PC and are sure that they are innate server gods. In general, authorized limited access is your everything.
    • Equipment theft and substitution of components. Do you love your company and put powerful video cards for everyone to make the billing system, CRM and everything else work perfectly? Excellent! Only cunning guys (and sometimes girls) can easily replace them with their home, and they will drive games at home on a new office model - they won’t recognize half the world. The same story with keyboards, mice, coolers, UPSs and all that can somehow be replaced within the framework of the iron configuration. As a result, you bear the risk of property damage, its complete loss and at the same time you do not get the desired speed and quality of work with information systems and applications. The monitoring system (ITSM-system) with configured configuration control) saves, which should be bundled with an incorruptible and principled system administrator.

    Maybe you want to look for a better security system? Not sure if this sign is enough

    • Using your modems, access points, or some kind of shared Wi-Fi makes access to files less secure and almost uncontrollable, which attackers can take advantage of (including conspiring with employees). Well, and besides, the likelihood that an employee "with his own Internet" will sit out working hours on YouTube, comic sites and social networks is much higher.  
    • Unified passwords and logins for access to the site admin panel, CMS, application software are terrible things that turn an inept or malicious employee into an elusive avenger. If you have 5 people from the same subnet with the same username / password, they went to hang up a banner, check advertising links and metrics, correct layout and fill in the update, you will never guess which of them accidentally turned CSS into a pumpkin. Therefore: different logins, different passwords, logging of actions and differentiation of access rights.
    • Is it worth it to talk about unlicensed software that employees drag to their PCs to edit a couple of photos during working hours or to make something up there that is very hobby. Did not hear about the inspection of the department “K” of the Central Internal Affairs Directorate? Then she goes to you!
    • Antivirus should work. Yes, some of them can slow down the PC, annoy and generally seem like a sign of cowardice, but it’s better to prevent it than to pay with downtime or, worse, stolen data.
    • Operating system warnings about the dangers of installing an application should not be ignored. Today, downloading something for work is a matter of seconds and minutes. For example, Direct. Commander or editor Adwords, some SEO parser, and so on. If everything is more or less clear with Yandex and Google products, then here’s another picresizer, a free virus cleaner, a video editor with three effects, screenshots, skype recorders and other “tiny programs” that can harm both an individual PC and the entire company network. Encourage users to read what the computer wants from them, before they call the system administrator and say that "everything is dead." In some companies, the issue is solved simply: a lot of useful utilities downloaded lie on a network share, and a list of suitable online solutions is also posted there.
    • The BYOD policy or, conversely, the policy of allowing the use of working equipment outside the office is a very evil side of security. In this case, relatives, friends, children, public unprotected networks and so on have access to the technology. This is a purely Russian roulette - you can walk and manage for 5 years, or you can lose or ruin all documents and valuable files. Well, and besides, if the employee has a malicious intent, it is real to merge the data with “walking” equipment as two bytes can be sent. You also need to remember that employees often transfer files between their personal computers, which again can create security loopholes.
    • Blocking devices while away is a good habit both in the corporate and personal sphere. Again, it protects from curious colleagues, acquaintances and intruders in public places. It’s hard to accustom it, but at one of my places of work I had a wonderful experience: colleagues approached an unclosed PC, Paint with the inscription “Lost comp!” Unfolded all over the window and something changed in the work, for example, the last pumped-up assembly was removed or deleted last wound bug (it was a testing group). Cruel, but 1-2 times enough even for the wooden ones. Although, I suspect, non-IT professionals may not understand such humor.
    • But the worst sin, of course, lies with the system administrator and management - in the event that they categorically do not use traffic control systems, equipment, licenses, etc.

    This, of course, is the base, because the IT infrastructure is the very place where the farther into the forest, the more firewood. And everyone should have this base, and not be replaced by the words “we all trust each other”, “we are a family”, “but who needs it” - alas, this is for the time being.

    This is the Internet, baby, they can know a lot about you

    It’s time to introduce safe Internet access to life safety courses at school - and this is not at all about the measures into which we are immersed from the outside. This is about the ability to distinguish a link from a link, to understand where phishing, and where is a divorce, do not open attachments of the subject “Verification Act” from an unfamiliar address, without understanding, etc. Although, it seems, the schoolchildren have already mastered it all, but the employees - no. There are tons of tricks and mistakes that can jeopardize the whole company at once.

    • Social networks - an Internet section that does not have a place to work, but blocking them at the company level in 2019 is an unpopular and demotivating measure. Therefore, you just need to write to all employees how to check the illegality of links, talk about the types of fraud and ask them to work at work.

    • Mail is a sore spot and perhaps the most popular way to steal information, plant malware, infect your PC and the entire network. Alas, many employers consider the mail client to be a savings item and use free services that send 200 spam emails per day that go through filters, etc. And some irresponsible persons open such letters and attachments, links, pictures - apparently, they hope that the Negro prince left the inheritance for them. After which the administrator has a lot of work. Or was that what was intended? By the way, another cruel story: in one company, for each spam email, the system administrator was reduced by KPI. In general, after a month there was no spam - the practice was adopted by the parent organization, and there is still no spam. We solved this issue gracefully - we developed our own mail client and built it into our ownRegionSoft CRM , so all our customers also get such a convenient feature.

    The next time you receive a strange letter with a paperclip, don’t click on it!

    • Messengers are also the source of all kinds of insecure links, but this is a much lesser evil than mail (not counting the time killed by trepidation in chat rooms).

    It seems to be all the little things. However, each of these little things can have disastrous consequences, especially if your company is the target of an attack by competitors. And this can happen to literally everyone.

    Chatty employees

    This is the very human factor that you will find it difficult to get rid of. Employees can discuss work in the corridor, in a cafe, on the street, at the client speak loudly about another client, talk about labor achievements and projects at home. Of course, the likelihood that a competitor is behind your back is negligible (if you weren’t in one business center, it happened), but the fact that a guy who clearly sets out business matters will be removed on a smartphone and uploaded to YouTube, oddly enough. But this is garbage. It’s not bullshit when your employees willingly present information about a product or company at trainings, conferences, meetings, professional forums, but at least on Habré. Moreover, often people deliberately summon an opponent to such conversations in order to conduct competitive intelligence.

    Illustrative story. At one galactic-scale IT conference, the section speaker laid out on a slide a complete diagram of the organization of the IT infrastructure of a large company (top 20). The scheme was mega impressive, just space, it was photographed by almost everyone, and it instantly flew through social networks with rave reviews. Well, then the speaker caught on geotags, stands, social. networks posted and begged to remove, because he quickly called and said a-ta-ta. Chatterbox - a godsend for the spy.

    Ignorance ... frees from punishment

    According to Kaspersky Lab's global report for 2017, among enterprises facing cyber security incidents in 12 months, one of the ten (11%) most serious types of incidents related to careless and uninformed employees.

    Do not assume that employees know everything about corporate security measures, be sure to warn them, conduct training, make interesting periodic newsletters about security problems, hold pizza meetings and clarify questions again. And yes, cool life hack - mark all printed and electronic information with color, signs, inscriptions: trade secret, secret, for official use, general access. It really works.

    The modern world has put companies in a very delicate position: it is necessary to strike a balance between the employee’s desire to work not only to plow, but also to receive entertaining content during breaks / breaks and strict corporate security rules. If you turn on hypercontrol and moronic tracking programs (yes, not a typo - this is not security, this is paranoia) and cameras behind your back, then the trust of employees in the company will drop, and after all, maintaining confidence is also a corporate security tool.

    Therefore, know the measure, respect the employees, make backups. And most importantly - put safety at the forefront, and not personal paranoia.

    If you need CRM or ERP, carefully study our products and compare their capabilities with your goals and objectives. There will be questions and difficulties - write, call, we will arrange for you an individual presentation online - without ratings and puzomerki.
    Our channel in Telegram , in which without advertising we write not quite formal things about CRM and business.

    Also popular now: