Rossander’s Security Reader

It’s not often that I burst out laughing while reading a computer security article. Still less often when I’m reading an HR blog. This article and the comments at the end were a rare treat.

In case the link doesn’t work for you, the author tells a compelling story about how hard it is to get people to lock their computers when they step away from their desks. I agree – it’s miserable trying to convince people that this is an important security control that they should spend time on. You can teach, nag, cajole and people still walk away “just for a minute” and leave their computers open to any hacker in the building. (And if you think you have complete control of the physical facility, you’re kidding yourself.)

Rather than more fruitless policing by one or two committed security geeks, release the goons! Let employees prank each other when someone is careless enough to leave a computer unlocked. Drafting and even sending emails from the unsecured computer is an old trick but must be done with caution – it’s supposed to be a prank, not a career-ending fraud. Better are more personal pranks like changing a Browns fan’s wallpaper to a Steelers logo, changing the autocorrect in MS Word or, my new favorite, flipping the monitor. A harmless prank or three might finally get people to lock those screens.

A few thoughts, though. Make sure that the pranks are harmless. You want to apply judicious social pressure in support of the corporate policy. Workplace bullying is nothing to trifle with. Don’t let it go too far. Second, be very sure that tactic is a good fit for the culture of the team. Tight-knit, high-functioning workgroups have more tolerance for social controls than newly formed or distrustful groups. Finally, be very cautious before “pranking” a subordinate. Behavior that’s completely acceptable with a peer could land the manager in a lawsuit.

Hope you enjoy the article as much as I did.

Holiday travel time is a bonanza for thieves. Empty homes, disrupted schedules, lots of strange cars in the neighborhood as vistors come and go. It’s a busy time for an enterprising burgular. Here are some tips to keep your home safer while you are away.

• This sounds obvious but it’s surprising how many people forget it. Lock all your doors and windows before you go. Don’t forget the ones in your garage and basement.
• Have a neighbor collect your newspaper and mail daily. Failing that, have the deliveries stopped. Piles of newspapers are a dead-giveaway that you’re not home.
• Do not stop your snowplow service. A lack of footprints in snow that’s several days old is another giveaway. If you don’t have a service, ask a neighbor to shovel your walk for you.
• Ask a neighbor to check on your home a couple of times while you’re away. Make it obvious that the house is watched.
• Put some timers on a few interior and exterior lights and a radio to make the house appear occupied.
• And most importantly, do not post your travel plans on Twitter or Facebook.

Have a great holiday.

Studies continue to show that most identity theft is committed using paper-based information. And while much of that is based on papers stolen from your kitchen counter (usually by someone you know well), a fair portion is the result of mail theft or tampering. Here are some steps to protect your physical mail.

• Don’t leave outgoing mail in an unsecured mailbox – especially checks (which have your bank number and signature on them). Take the extra time to detour to the post office drop box.
• Or even better, pay your bills online through your bank’s secure website.
• Sign up for direct deposit and for electronic deposit of as many incoming checks as you can. Don’t advertise when you’ve got a check coming. An insurance company I know recently had a check forgery case based on a single claim check stolen from the victim’s mailbox.
• Keep your eyes open for changes in patterns. If you haven’t received a bill on time, one possibility is that an ID thief changed the address and is using your account to establish his/her false identity.
• If you’re expecting a package, track it’s progress on the carrier’s website. Make sure that it doesn’t sit unattended any longer than necessary.
• Think about signing up for electronic statements instead of getting them through the mail. It’s cheaper the company (and ultimately for the consumer), it reduces the volume of paper to manage and, as long as your computer security is good, it can be as safe or slightly safer than paper statements.
• If you’re going out of town, put a hold on your mail.
• If you live in a high-crime area, consider a post office box.

Budgets are tight everywhere this year. It’s tempting to put off investing in security because “we just can’t afford it now.” That’s a risky strategy at any time but worse, it’s largely an unnecessary attitude. There are many things you can do to improve your security posture that don’t cost cash. They do cost your time and attention, though. Make fixing these common mistakes a priority.

• Walk around your office some night and see how many people keep their passwords on sticky notes right on the computer monitor. Keeping track of passwords is hard. But writing them down and leaving them out for every casual visitor or after-hours maintenance person to see is inexcusable.
• While you’re walking around, see how many people left sensitive documents on their desks. Make sure that sensitive documents, especially including anything with an SSN or Drivers License Number on it, is put away at night. If you absolutely can’t implement a clean desk policy in your office, at least flip over the top page in the stack to reduce the temptation to snoop.
  If you allow the use of thumbdrives in your environment, make sure you watch for them, too. Thumbdrives are high risk devices – very easy to steal.
• Make sure people keep their access cards with them at all times. Access cards are your credentials. If they fall into the wrong hands, the bad guy effectively is you. He/she can do anything you can do and you will get the blame. Access cards should be protected as carefully as the data they protect. (And, by the way, neither under your keyboard or in the top right drawer of your desk is a safe place to keep them. Thieves know to look there.)
• Prevent tailgating and make sure your visitors are escorted. Challenge unknown people – politely but directly. Don’t assume that just because a person is in your area that they have a right to be there.
• Remember the fax and the printer. Countless sensitive documents get overlooked and often forgotten or lost when we send them to the printer. Make sure you have internal control and that documents get picked up immediately.

Law enforcement agencies are reporting a recent uptick in the number of lost or stolen laptop computers. It’s not clear yet whether this is a random fluctuation, a consequence of the troubled economy or something else but it is a disturbing trend.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don’t think you’ve ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee’s practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don’t give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet – out of sight, out of mind. Don’t assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don’t just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You’d never be that careless at home. Don’t let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it’s time to ask for your free copy of your credit report from the next agency.