Not all security breaches are the work of criminal hackers attacking your company over the internet. Either by negligence or malice, a significant number of security breaches are the work of staff members.
According to the McAfee 2007 Virtual Criminology Report, criminal groups are targeting employees and sponsoring undergraduates to steal data from inside businesses using virtually undetectable transfers to USB keys and other mobile devices. The stolen data is then held for ransom or sold to anyone who will pay for it.
Of course, the most common kind of security breach is unintentional. The modern mobile workforce has many advantages ? working from home or the road, accessing data anywhere at any time ? but from a security perspective it can be problematic. For convenience, copies of confidential data can and will probably be copied to USB keys, removable hard disks, notebook computers, mobile handsets or emailed to insecure home email accounts. Staff will bring their own insecure notebooks to work, or take work notebooks home and connect them to their home ADSL connection, which may or may not be secure.
In Europe, McAfee found that a quarter of workers connected their private gadgets to their work network, and another quarter took work notebooks home and connected them to their home network. With all this data moving outside of the control of the business, the potential for data leaks is enormous.
Protecting your mobile equipment
Here are some tips for dealing with the chaos that teleworking can bring:
- Create and enforce company policies about what data can be taken on what devices. Encourage and enable situations where users can access data remotely without having to make local copies of it. Secure VPNs (virtual private networks) are good for this purpose.
- Institute access controls on server data, so that only authorised persons can access it.
- Use encryption software, available for both handhelds (like PDAs and smartphones) and notebook computers. That way even if a device is lost or stolen, the data cannot be accessed.
- Acquire business notebooks and devices with biometric and other security measures, such as fingerprint readers and smart card readers.
- Create revokable access mechanisms. Universal passwords are a bad idea ? per-user passwords are easier to revoke in the case a stolen device.
- Any personal equipment, such as privately owned notebooks and PCs, that will have company data on them should have the same security measures applied as the company-owned notebooks. At the very least they should have a current security suite. Managed service suites (like McAfee Total Protection for Small Business) are perfect for this kind of application, since you can monitor and manage the security on the private computers no matter where they are, and you don?t have to blindly trust your staff member to do the right thing.