Tag Archives: USB

Some top security tips that ALL employees can use

When it comes to security, one thing is clear, people occasionally do daft things with computers and devices, and they frequently do these daft things at work. They occasionally do malicious things too but it’s mostly just daft. So we can train our employees (including managers and directors) in our procedures and policies and enforce them. In fact, spending as much time thinking about the best way to train different teams is never time wasted because it gives you the chance to use their language and create something nuanced that will make a genuine difference, which is, after all, the whole point of doing it.

Looking at some of the data that came out of Vormetric’s Insider Threat report, in actual fact, those privileged users are still posing a security headache to many of the respondents. They may be System Admins or senior colleagues who are simply not restricted or monitored in the way other employees are…these are the ones who can access very sensitive or valuable information and so need to be even more hyper-vigilant in their behaviour. But let’s face it, one phishing email clicked and payload of malware downloaded is all it takes and that could be done by an MD or a temp.

I asked the team here at Advent IM to come up with some practical tips that all employees can use, regardless of their role,  to help protect their organisations and enhance their understanding of the vital role they play in securing assets.

  • That email telling you there’s a juicy tax rebate waiting for you but it needs to be claimed immediately, hasn’t come from the Government. It’s  a phishing email. Clicking that link will allow malware to be installed and all your personal information to be stolen. Do not click on links in emails you are not expecting and if in any doubt refer to your security manager.
  • Never set your smartphone to allow download and installation of apps from sources other than an approved store. Changing this setting can allow malware to be installed without your knowledge and could result in you being a ransom ware victim.
  • Always report security breaches immediately to your line manager to facilitate any counter compromise action to be undertaken as deemed necessary. If the organisation isn’t aware of it, the event could worsen or spread. Containment and control is vital as quickly as possible.
  • Archive old emails and clear your deleted & sent folders regularly as a clean and tidy mailbox is a healthy mailbox.
  • Never discuss work topics on social media as your comments may come back and bite you!! You could also be compromising your employers and colleagues security and increasing the likelihood or the ease of an attack.
  • Don’t worry about challenging people you do not know who are not wearing ID or visitor badges. It may seem impolite but Social Engineers use inherent politeness to their advantage and can then move round a site, potentially unchallenged.
  • Don’t allow colleagues to use your login credentials, this goes double for temps and contractors. Think of it like lending your fingerprints or DNA to someone, would you do that so easily? Any activity on your login will be attributed to you…
  • Do you really need to take your work device to the pub with you? More than a quarter of people admit to having lost (or had stolen) up to 3 work devices and more than half of them were lost in a pub!
  • Don’t send sensitive documents to your personal email address. If there is a security measure in place, it is there for a reason..
  • Don’t pop any old USB into your PC. Nearly one in five people who found a random USB stick in a public setting proceeded to use the drive in ways that posed cybersecurity risks to their personal devices and information and potentially, that of their employer. It could have anything on it! exercise caution.

Some of the findings on Insider Threat from the Vormetric 2015 survey…

2015 Vormetric data Insider Trheat v0.4

USB – Ubiquitous Security Breach?

The Ubiquitous Data Breach or as we know it - the USB

“Organisations do not understand the risks they face because of employee negligence but are not taking the necessary steps to secure USB drives.”

This forms part of the introduction to the findings of the UK part of the survey by the Ponemon Institute on behalf of Kingston Technologies.

The results of the survey show the level of UK organisations negligently inactive when it comes to unauthorised use of USB devices. With a shocking 73% of those surveyed reporting within their organisations, employees using USB’s without obtaining permission and 72% said that data breaches had been caused by sensitive or confidential data on USBs being lost.

These results come as no surprise to many of us, the amount of stories we all read on a weekly basis about data sticks being lost, laptops being lost, or discs being left in taxis etc.is large.

The surprising thing in many ways is that despite these incidents, organisations are still  uncontrolled USBs to become prevalent – picked up at trade fairs and expos, the survey said 55% – I suspect this is actually much higher. And so business is relying on the common sense and integrity of its employees to use the devices sensibly. In fact, the sensible thing to do is have a policy, implement and educate in to your staff.

The survey shows a disappointing 32% has policy and controls in place to stop or limit employees misuse of USBs in the workplace. and 29% the technology to prevent or detect a virus or malware on USB drives before use by employees. Some organisations, as we know will create policy and then not educate it in to their people, lip service to a policy never works, hence the 73% of respondents having lost sensitive data.

We have said it before and will say it again, assess the risks (ask for help if you need to), design the policy and procedures (ask for help if you need to) implement and check it works, then educate it in.

Ellie

www.advent-im.co.uk

From the report:

The following are 10 USB security practices that many organizations in this study do not

practice:

1. Providing employees with approved, quality USB drives for use in the workplace.

2. Creating policies and training programs that define acceptable and unacceptable uses of

USB drives.

3. Making sure employees who have access to sensitive and confidential data only use secure

USB drives.

4. Determining USB drive reliability and integrity before purchase by confirming compliance with

leading security standards and ensuring that there is no malicious code on these tools.

5. Deploying encryption for data stored on the USB drive.

6. Monitoring and tracking USB drives as part of asset management procedures.

7. Scanning devices for virus or malware infections.

8. Using passwords or locks.

9. Encrypting sensitive data on USB drives.

10. Deploying procedures to recover lost USB drives.