Initially, that may seem a little harsh, as I’m referring to employees of your company. But, as it turns out, your employees can often be a bigger threat than you realise. And, with the advent of Bring Your Own Device (BYOD) it is only getting worse. Given that, as I type this today, the security on the iPhone, for example, is somewhat – ahem – elastic (see http://bgr.com/2013/02/14/iphone-security-vulnerability-ios-6-1-327260/ ) you may wonder why BYOD is even considered at all in any workplace? In a small to medium business, the likelihood of folk – often those in senior positions – wanting to use their shiny new toy for business is often greater than in a corporate. Conversely, a corporate will often be far better equipped to deal with the proliferation of these devices.
If a user is able to install something on your network, rest assured he or she will at some point. After all, software is “simple to install” right? Not a moment’s thought will be given to compatibility with existing programs, licensing, liability or security.
More commonplace is accidental moving – thanks to the ease of ‘drag and drop’ – or deletion of files, whether by accident or design. The “are you sure” prompt may as well not exist as it is routinely ignored! Just one of the many reasons a backup is so important. You do have a backup don’t you?
Another issue is how your users use their office technology – as a business, you have a legal liability for your employees’ actions and in some cases even a criminal one! These include harassment, liability for acts and omissions and accessing illegal materials. See this link for more details – www.smoothwall.com/whitepaper-library/corporate-misuse-of-ict-%28uk-law%29/– it does not make happy reading.
What can you do?
- Ensure you have an up to date employment policy which covers your employees’ use of your IT equipment, including email, web browsing, social media use at work – and keep it up to date!
- Don’t allow your users to install software at all – either restrict users’ accounts or enforce it via policy.
- Enforce controls on devices used in the office via policies which allow remote disablement of the device should it become lost, stolen or compromised.
- Educate your users in file management.
- Monitor or restrict access to the internet – in particular, use a web filter or dns services if you are able