The last line of defense

By Laura Haight
Originally published as the Digital Maven by The Upstate Business Journal on April 19, 2013


“When there is no enemy within, the enemy outside can’t hurt you.”

-- African proverb

What is the biggest computer threat to your business? Is it Bob, the sales manager? Or Sarah, the new marketing intern? Of course, they aren’t the face of the enemy we imagine. Too bad, because that’s where our biggest threat - albeit unwitting - is. Your employees are not actively working against you, but their actions often unknowingly enable the enemy outside the gates to gain entry.

The hard truth is this: No amount of money, no software or hardware, no security experts on your staff can protect you from the seemingly harmless acts of an authenticated user.

Here are four ways your own employees put your business at risk.

1. Ignoring password security. Some companies enforce password rules that require employees to create strong passwords and to change them with regularity. Those that don’t may educate employees about strong passwords and how to create them, but must still expect that the average employee will ignore that and create a password that is simple and easy to remember. Convenience trumps security every time. Last year, the most used password was - password. The second? 123456.

2. Ignoring basic email best practices. These are basic and have been well publicized and yet, over and over again, employees violate these rules.

  • Don’t open email from people you don’t know.

  • Don’t open email from people you know that doesn’t sound like the people you know (subject lines like HI, For You or Welcome are clear warning signs).

  • OK, you opened it but now don’t click on any links in a suspicious document. Emails from a friend with no text - just a link - scream scam. Don’t do it.

  • Don’t open photos particularly in emails because crackers hide malware and virus code in them.

Phising schemes like this get you to click on a link that may install software to maliciously damage your network - or worse - transfer data or even funds in undetectable amounts. Or it may install a keylogger - a piece of software that captures all keystrokes so that the hacker obtains passwords, file encryption, maybe online services (like banking or accounting) access.

3. Taking company documents home. We love people like this in our organizations - those who take the initiative and do extra work at home. It seems harmless enough: Bob copies a few spreadsheets of financial data or company records to complete an analysis he’s been charged with over the weekend at home. Now, your data is out there in the wild. Maybe Bob put it on a USB key that had some encryption - that will take longer to break, but it is likely not unbreakable. Possibly, he took it home on a laptop that he left in the back of his car while he played golf. (How long will it take to break your password? Check out this open source website. If it were me, I would use a made up password for testing purposes. It’s the internet after all. But pretty interesting stuff.)

The laptop looked like a good get to the 13-year-old who smashed his window and grabbed it. But the kid is probably not a hacker - just a thief.

You might take comfort in the fact that following PCI-compliance rules for credit cards, your spreadsheet does not include full credit card numbers. But they do have an online account with you, so they have a password. Depending on what source you read, somewhere between 60 percent and 78 percent of us use the same password that we use at our bank for most if not all online logins. So even though my credit card number was protected, the password is out. And even though the kids with the laptop didn’t know what they have and might not know what to do with it, you still have to come clean to your client base. Thanks Bob for the extra effort!

4. Ignoring computer warnings of viruses or out of date software. This is a dual problem - they do it at work and at home. If your company has an Exchange server or cloud-based service, you are most likely getting your virus and OS updates pushed to you by an automated service. Companies make choices about how updates will be done  and in many cases, users are informed that there is an update that needs to be installed and the computer restarted.

More annoying interference from those geeks in IT! Your staff has work to do and can’t be stopping in the middle of it to restart their computers. It’s OK, do it later.

Often, later doesn’t come and now a violation of item one or two on this list also allows  your network to be infected by a virus you could have been protected against. This happened at a Fortune 500 company headquarters when I worked there. It took a small army of IT people to go from floor to floor, office to office, manually updating every computer and testing every part of the network. The manpower cost was enormous; the data cost could have been even greater.

Computer policies and actions are work rules that need to be explained, understood and enforced. I personally know people and businesses who have been hacked and hurt by all the things on this list and in every case, it was an authenticated user - the wolf in sheep’s clothing - who let the enemy in the gates.


Got a question? Come to Facebook and post it. We'll talk.