Practical Policies That Help Increase Corporate Security
Companies today have largely accepted that technology is here to stay, and not embracing it is not in the table. The white flag has been raised, even for the strict IT team and the policies, they impose on workers using the company-supplied PC workstations, phones, and other IT equipment. The BYOD phenomenon further exacerbates this massive change, as employees are willingly using their personal computing devices in their jobs. It is inevitable, even without a formal acceptance of the employer, BYOD in a non-written and non-official form is being implemented across the board, across different industries. With employees comes some form of Bring Your Own Devices.
The years before the year of the smartphone, year 2006 and prior were heavily influenced by heavy user account control. Internet filtering was a common state of policy for a company that had any semblance for a need of having Internet connection for their employees. With the emerging technology of smartphones and tablets, everyone can choose for themselves the personal capability to connect to the internet with their mobile devices, there goes the effectiveness of filtering non-work related sites in the workplace.
This new-found “freedom of navigation” for the common employee of a company opens up a major security nightmare for anyone working in an IT team, regardless if they are internally employed by the company or a 3rd party contractor tasked to handle IT services, maintenance, and upgrades. IT downtime for a common employee means a very relaxed time, while waiting for the systems to come online again. This is exactly the opposite of an IT staff member, as IT downtime means working on the weekends, holidays or beyond the normal shift, just to restore the normal IT services.
The key to risk management is knowing the typical behavior of the company’s internal users of IT devices. This is through an acceptable level of policies, one of which is device encryption first before it is granted access to a company service like the corporate wifi and app access like OWA (Outlook Web App). Companies need to realize that money is not its lifeblood, but rather a byproduct of a job well done for its customers. The real lifeblood of any company is its asset, which a large chunk of it is the human capital.
Mutual trust between employees and those that regulate maintains and upgrades the IT system will make a lot of difference when it comes to the standpoint of cybersecurity. Companies should start with encryption, no encryption, no access. This will increase the privacy and security of data, especially if those laptops, smartphones, and tablets storing customer information got lost – data stored in them will never be readable by other people.
A combination of customer education and penetration testing are also the top two considerations for any company who wants to survive today’s world. Trust + encryption + regular updates for software, operating system and firmware versions (for routers/switches). There should be healthy exercise of restraint for end-users, as to whether we like it or not, employees are the frontliners in the standpoint of corporate security.
Kevin Jones753 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.