Today’s blog post was written by Wendi Finn, founder of IS Security Solutions.
In Corporate America today employees are staying connected 24/7. Those that are tech savvy are firing up their mobile devices before their laptops have even had a chance to hibernate. Their eyes focus on the tiny display and their fingers type feverishly into the device. “Hope this meeting isn’t the same old snooze fest we had last week.” they tweet, heading down the hall and rounding the corner.
We’ve seen the tweet before. Some of you may even be laughing, “Hey, that was my tweet from yesterday.” The introduction of mobile technology and the vast expansion and use of the internet have created the need for corporations to create security policies and, more importantly, to educate their users in safe and appropriate practices.
The you Generation X employee needs to be educated in privacy, confidentiality, and perception. Corporations need to clearly define and communicate what within the company can be shared with friends and family, and what cannot be shared. The more comprehensive the list, and the more examples that can be provided, the better. Until you state specifically what can and can’t be shared, it is simply opinion. For instance, XYZ Technology is coming out with a brand new, state of the art, high-definition, bluetooth necktie, so that anybody bored in a meeting can simply watch television while pretending to focus on the speaker. Is this new technology to be kept confidential so a competitor doesn’t beat you to the market, or are employees to boast about this great tie to excite buyers? Policies need to be clear, they need to be precise, and they need to be communicated.
Below is a short list of thoughts to use as a starting point:
- Is the use of social media acceptable?
- Is the use of social media in the workplace acceptable?
- What implications might social media have on your brand? (Keep in mind there are always plusses and minuses.)
- What assets should be protected? (i.e. employee data, customer data, recipes, designs, prototypes, types of technology used within the organization, etc.)
- Is it okay to share photos from the workplace with or of fellow employees?
- What are your password policies?
Baby Boomers have a different set of needs when it comes to security. This generation is less likely to understand identity theft and phishing schemes. This generation is also more likely to write down passwords or use simplistic passwords.
Below are some general tips to protect corporations and individuals alike. The items should be addressed at some level in corporate security policies and covered during training.
1. Use secure passwords- Use a password that won’t be easily guessed, that is at least six characters in length, and contains alpha, numeric and special characters. NEVER share your passwords. If you need to write your passwords down, do it in such a way that you can just use a reminder. For instance, I use passwords as a way to learn phone numbers. That way I can keep a note that says “Kelly Tate’s phone number.” Seeing that note gives me a way to look-up my password: KT8900021! Since I always start with capital initials and end with an exclamation point, I just need to look up Kelly’s number in my contacts to remember my password.
2. Install anti-virus and apply security updates regularly- Install software updates and anti-virus updates often to ensure hackers cannot take advantage of vulnerabilities. Typically the software can be set to apply updates automatically.
3. Understand phishing schemes- Random service providers DO NOT call you to tell you there is an issue with your computer. Don’t boot up your computer based on a phone call and NEVER give a stranger remote access to your system. Likewise, if you receive a phone call or e-mail asking you to verify your password, social security number, etc, BEWARE! When my bank calls, I require them to verify who is calling before giving out any of my personal information (or I simply let them know I am going to hang-up and call back using the number on the back of my charge card). If it’s an e-mail, I delete it. If somebody is contacting you, they should know it’s you! You need to know it’s actually your bank, service provider, doctor’s office, etc.
4. Treat all social media sites as public sites- Postings you make can be shared, printed, or screenprinted. Do not post personal or corporate information you don’t want made public.
5. Beware of people you meet on-line- Sites such as LinkedIn can create opportunities to connect with other individuals in your industry, but it is still necessary to be conservative. Before providing someone you meet on-line with any personal information or before you agree to meet live, check their references. Call a friend or contact in common and always meet for the first time in a public place. Never click on a link provided or posted by a stranger, even in a group forum. Viruses are often embedded.
6. Review your security settings regularly- Social media sites are often making updates to their software, and those updates often reset your privacy settings to the default settings. Customize your settings according to your use. For instance, it would be reasonable to use default public settings for a site where you are marketing merchandise or services.
Enlightening users of technological threats and educating them in simplistic security practices will dramatically decrease the risk to both the corporation and its employees. I have written a workbook to assist in educating technology users called A Beginner’s Guide to On-Line Security. It walks the readers through the concepts mentioned above, provides examples, and includes hands-on exercises. For more information, please visit: www.On-LineSecurity.org.
Wendi Finn obtained her undergraduate degree in accounting from The University of Illinois, Chicago, and a Masters in Information Systems from Capitol College. She is a CPA registered in the State of Ohio and Illinois and a CISA (Certified IS Auditor). Wendi Finn is an alumnus of Ernst & Young with fourteen years of compliance, security, and accounting experience. In 2004 she founded IS Security Solutions, LLC to assist organizations in control consciousness, security awareness and process improvement.
Wendi’s experiences include: performing end-to-end process reviews to identify opportunities for operational and security enhancements, ACL data analysis, security assessments for various platforms and databases, security confirmation assessments and testing for various systems, business continuity and disaster recovery plan development, information security policy development and review, physical security assessments, and Sarbanes Oxley compliance.