Most companies hire highly paid computer security professionals who spend hours and hours a day configuring access policies and patching computers. Then they turn around and hire a minimum wage security guards to protect their millions of dollars worth of computer equipment. This isn't even counting intellectual property and their database of customers and names. If a hacker has been hired to hack you which path do you think he will take to steal company secrets? Will he spend months trying to hack the companies' network which has been locked down by the highly paid computer security consultant? Or will he spend a day trying to hack the poorly motivated security guard that is paid minimum wage? Hacking a human (Social Engineering) is the greatest threat to your company. If you don't have someone who can combine computer security with physical security you have no informational security.
Informational security combines every aspect of access control and building management. Informational security ranges from how people access the building , how the janitors dispose of garbage, computer security, staff background checks, staff hiring, video surveillance ect.. A common lapse in physical security is that smokers usually leave one door unlocked during the day so they can take a smoke break. That completely cancels out your hundred thousand dollar key card system. All a information thief would have to do is watch your building for the day and find the smoker hang out.
Every major type of informational theft crime has used some type of social engineering attack. Untrained and poorly paid employees are the easiest targets because they are usually are unmotivated and easily influenced. The key is not paying people more; the key is to train them to know what to look for. A well trained staff member will enjoy their job and take ownership of their responsibilities. They will not want to let the company down if they are trained and feel needed.
Your employee hiring process should include a background check and credit check. If the candidates have ever declared bankruptcy do not hire them. If they are really strapped for cash they can be easily bribed or seduced into selling your companies secrets. The federal government does not give Secret security clearances to people who have declared bankruptcy. Why would you let someone like that near your company's vital data?
Your company's weakest link is your employee's cars and homes. It's easier for a hacker to follow someone home from work and then steal their laptop out of the car. Also, employees usually leave their access cards in their automobiles. Create company policies for storing company laptops, PDA's and access cards in secure locations...not in cars.
Check your company websites!! Don't have every employees name, position, phone number, email address and bios listed on the website. All this information just gives a information thief more tools to work with.
Train your in house security about your computer network. If you train them the very basics about technology and servers they will be more aware about what people should be doing. Train them to look for portal hard drives, key chain drives and writeable media like DVDs and cdroms. All of these items can be used to take vital company secretes off company grounds.
Finally here is the easiest way to protect your company's network......log off your computer when you're done using it. This sounds like a common sense but nobody logs of their computer when there done. The worst culprits are executives, who always want access to everything. If a hacker gets inside your company, it takes less than a minute to install a root kit. Once his root kit is installed your doomed.
In most cases, security is prioritized by a company, yet there are only miniscule efforts to actually solidify it. Building security shouldn't be neglected in the same way that company's vital information should always be protected from all forms of compromise. Although there are cases when tenants tend to forget, a solid building security consisting of personnel and equipment should be able to fully protect the company and its assets.
ReplyDelete