An company's IT security is only as strong as its weakest link. Each staff should view security as a personal responsibility. Here are three great tips for employees to follow.
Think about it. When you leave your home you lock your door. And when you leave your car you activate the central locking and alarm. Now ask yourself: Why should it be any different with your computer?
While the information stored on a computer has value in itself, it is the identity used to log in to the computer that is the most prized possession for a malicious user.
In the same way your passport enables you to travel to other countries and your ATM card gives access to your funds, your login ID gives a hacker all your user privileges. Worse, it's not just the permission - but also an identity to hide behind. In essence, anything the hacker does using your ID traces back to you.
While technology can help minimise this threat, it is user behaviour and actions that determine the infocomm environment's security.
It is important that every person in an organisation takes security as a personal responsibility. And the best way to achieve that is to help them understand the issues.
Many users see computers merely as a tool to get their work done. What they also need to be made aware of is that the ability to access data and complete tasks start from privileges granted to them.
Remember the tagline in the Spider-Man movie? 'With great power comes great responsibility.' And in a business environment, the same is true. There are three basic things users can be taught to help secure their environment.
1. Strong password
Ensure that users create a strong password for their accounts. Strong passwords are usually made up of a combination of at least eight letters (uppercase and lowercase), numbers and punctuation marks.
While a password such as G7ys%*hs23 would be considered strong, it is not easy to remember. So why not use a pass phrase, something you can remember easily. For example, the pass phrase Mla3ca7d can be derived from the first characters of the phrase 'Mary looks after 3 cats and 7 dogs'. Also never write your password down, store it on your computer or allow the browser to save or remember it.
2. Lock computer when not in use
Teach your staff to 'lock' their computers when not in use. People who go off for lunch or to the restroom, leaving their computers unlocked, make an easy target for a malicious user.
'Locking' your computer is a matter of a single keystroke such as the Windows key. Or to make matters even simpler, you can enable the computer to lock itself automatically after a short period of inactivity.
3. Beware of 'social engineering'
Alert your staff on the threat posed by 'social engineering' - a process hackers use to manipulate an unsuspecting person to divulge sensitive details such as security or confidential information.
This can be done via spam e-mail messages in which the hacker assumes the identity of a trusted person or organisation and establishes a scenario where the user feels obliged to release such details.
In a properly configured environment, an administrator, or anyone else, does not need access to your security credentials - for example, username and password - for system maintenance.
It is vital to educate users in your organisation on the value of their data and credentials. Security is the responsibility of all users in your organisation. With these simple tips, you will go a long way towards establishing a strong defence against IT threats.
According to IDA's 2007 Annual Survey on Infocomm Usage by Enterprises, the three least deployed infocomm security measures by enterprises are:
- Intrusion detection system (ranking 1);
- Offsite data backup (ranking 2); and
- Secured communication between clients and servers (ranking 3).
Infocomm security is something that businesses should not neglect. Start looking into implementing some measures to safeguard your business.
Do you have the right security measures in place? Visit www.singcert.org.sg today to sign up for free alert services on the latest cyber threats, solutions and patches; free seminars and workshops available; and tips to educate and raise awareness amongst your staff.
- This article is contributed by the Singapore Infocomm Technology Federation (SiTF), a member of the Cyber Security Awareness Alliance.
- This article first appeared in The Business Times on 17 June 2008 and information is correct at the time of publication.
Back to SMEs' Spotlight
