Corporate insecurity
In 2008, I was able to visit one IT company. In each employee some unhealthy tension was read. The reason turned out to be simple: mobile phones - in the box at the entrance to the office, behind the back - the camera, 2 large additional “watching” cameras at the office and controlling software with the keylogger. And yes, this is not a company that developed SORM or aircraft life support systems, but simply an application software business developer, now absorbed, crushed and no longer existing (which seems logical). If you are now stretched out and think that there is no such thing in your office with hammocks and M & M in the vases, you can be very mistaken - just for 11 years, the control has learned to be inconspicuous and correct, without fights over the visited sites and downloaded movies.
So it is impossible without all this, but what about trust, loyalty, faith in people? Do not believe it, but companies without security tools, no less. But employees manage to squander both there and there - simply because the human factor is capable of destroying worlds, not just your company. So where can your employees come from?
This is not a very serious post, which has exactly two functions: a little to brighten up everyday work and to remind you of basic things that are safe and often forgotten. Oh, and once again remind you of a cool and secure CRM system - isn't such software a security edge? :-)
')
They drove in random mode!
You speak about them and a wave of indignation rolls in: how so, how many times did they say to the world, but things are still there! In companies of all levels, from individual entrepreneurs to transnational corporations, this is a very sore point. Sometimes it seems to me that if tomorrow they build a real Death Star, there will be something like admin / admin in the admin panel. So what can we expect from ordinary users, for whom their own VK page is much more expensive than a corporate account? Here are the points to check:
It `s that? This thing keeps all my passwords.
The password is like underwear: change it more often, do not share it with your friends, long - better, be mysterious, do not scatter everywhere
My cat gives me great passwords! He walks on my keyboard
How do you organize access to accounting and personnel documentation (for example, to the personal affairs of employees) in your company? Let me guess: if a small business, then in accounting or at the boss in the office in folders on the shelves or in the closet, if large - in the personnel department on the shelves. But if it is very large, then most likely, everything is correct: a separate office or a unit with a magnetic key, where only certain employees have access, and to get there, you need to call one of them and enter this node in their presence. There is nothing difficult in making such protection in any business or at least learning not to write a password from an office safe with chalk on the door or on the wall (everything is based on real events, do not laugh).
Why is it important? First, workers have a pathological craving to learn about each other the most secret: marital status, wages, medical diagnoses, education, etc. This is such compromising in the office competition. And the squabbles that arise when designer Petya finds out that he gets 20 thousand less than designer Alice are completely at your hand. Secondly, in the same place employees can get access to the financial information of the company (balance sheets, annual reports, contracts). Thirdly, something elementary can be lost, spoiled or stolen in order to cover traces in his own work biography.
If you have a warehouse, consider that sooner or later you will be guaranteed to encounter offenders - the psychology of a person is just like that, he sees a large amount of products and firmly believes that a lot of things are not robbery, but sharing. A unit of goods from this heap can cost 200 thousand, 300 thousand, and several million. Unfortunately, embezzlement cannot stop anything except pedantic and total control and accounting: cameras, acceptance and write-off by bar codes, automation of warehouse accounting (for example, in our Region CR CR CRM is organized in such a way that the manager and manager can see the movements goods in stock in real time).
Therefore, equip your warehouse to the teeth, ensure physical security from an external enemy and complete security - from internal. Employees in transport, in logistics, in the warehouse should be clearly aware that there is control, it works and just that they will punish themselves.
If the story about the server room and the cleaner has already experienced herself and long ago migrated to the bikes of other industries (for example, the same went about mystical disabling of the ventilator in the same ward), then the others remain a reality. Network and IT security companies in small and medium businesses leave much to be desired, and it often does not depend on whether you have a sysadmin or invited. The latter often does even better.
So what are the employees here capable of?
Maybe you want to look for a better security system? Not sure if this sign is enough
This is, of course, a base, because the IT infrastructure is the very place where the farther into the forest, the more firewood. And everyone should have this base, and not be replaced by the words “we all trust each other,” “we are family,” “yes, who needs it” - alas, for the time being.
The safe handling of the Internet is time to enter into the course OBZH at school - and this is not about the measures in which we are immersed from the outside. This is exactly about the ability to distinguish a link from a link, understand where phishing is, and where a divorce is, do not open attachments of letters with the subject “Act of Reconciliation” from an unfamiliar address, without understanding, etc. Although it seems that schoolchildren have already mastered all this, but the staff is not. There are a bunch of tricks and mistakes that can endanger the whole company at once.
The next time you get a strange letter with a paperclip, do not click on it!
It seems to be all the little things. However, each of these little things can be disastrous, especially if your company is the target of a competitor's attack. And this can happen literally with everyone.
This is the same human factor that you will be hard to get rid of. Employees can discuss work in the corridor, in a cafe, on the street, at a client talking loudly about another client, talking about labor achievements and projects at home. Of course, the likelihood of a competitor standing behind is insignificantly small (if you are not in one business center - this happened), but the fact that the guy who clearly sets out the business case will be removed on a smartphone and posted on YouTube, oddly enough. But this is garbage. It's not bullshit when your employees willingly present information about a product or company at trainings, conferences, meetings, professional forums, or at least on Habré. Moreover, it is not uncommon for people to specifically summon an opponent to such conversations in order to conduct competitive intelligence.
Indicative story. At a galactic-scale IT conference, the speaker of the section posted on the slide a complete diagram of the organization of the IT infrastructure of a large company (top-20). The scheme was mega impressive, just cosmic, almost everything was photographed, and it instantly flew through social networks with enthusiastic reviews. Well, and then the speaker caught on geotags, stands, social. the networks were postponed and begged to be removed, because they quickly got a call and said a-ta-ta. Chatterbox - a godsend for a spy.
According to the Kaspersky Lab's global report for 2017, among enterprises that have experienced cybersecurity incidents for 12 months, one out of ten (11%) of the most serious types of incidents concerned negligent and uninformed employees.
Do not assume that employees know everything about corporate security measures, be sure to warn them, conduct training, make interesting periodic mailings about security issues, hold meetings for pizza and clarify the issues again. And yes, cool life hacking - mark all printed and electronic information with color, signs, inscriptions: trade secret, secret, for official use, general access. It really works.
The modern world has put the company in a very delicate situation: you need to strike a balance between the desire of an employee at work not only to plow, but also to get entertainment content in the background and strict rules of corporate security. If you turn on hypercontrol and debility tracking programs (yes, not a typo - this is not security, this is paranoia) and the cameras are behind your back, then employees' confidence in the company will fall, and maintaining trust is also a corporate security tool.
Therefore, know the measure, respect the staff, make backups. And most importantly - put at the forefront exactly safety, not personal paranoia.
Our channel in Telegram , in which without advertising we write not quite formal things about CRM and business.
So it is impossible without all this, but what about trust, loyalty, faith in people? Do not believe it, but companies without security tools, no less. But employees manage to squander both there and there - simply because the human factor is capable of destroying worlds, not just your company. So where can your employees come from?
This is not a very serious post, which has exactly two functions: a little to brighten up everyday work and to remind you of basic things that are safe and often forgotten. Oh, and once again remind you of a cool and secure CRM system - isn't such software a security edge? :-)
')
They drove in random mode!
Passwords, passwords, passwords ...
You speak about them and a wave of indignation rolls in: how so, how many times did they say to the world, but things are still there! In companies of all levels, from individual entrepreneurs to transnational corporations, this is a very sore point. Sometimes it seems to me that if tomorrow they build a real Death Star, there will be something like admin / admin in the admin panel. So what can we expect from ordinary users, for whom their own VK page is much more expensive than a corporate account? Here are the points to check:
- Writing passwords on pieces of paper, on the back of the keyboard, on the monitor, on the table under the keyboard, on the sticker below the mouse (cunning!) - employees should never do that. And not because a terrible hacker comes in and downloads all the 1C on a flash drive for lunch, but because the office can have an offended Sasha, who is going to quit and make a mess or take information in the end. Why not do it at a regular dinner?
It `s that? This thing keeps all my passwords.
- The establishment of simple passwords to enter the PC and work programs. Dates of birth, qwerty123 and even asdf are combinations that have a place in anecdotes and on the tower, and not in the system of corporate security. Set the requirements for passwords and their length, set the frequency of replacement.
The password is like underwear: change it more often, do not share it with your friends, long - better, be mysterious, do not scatter everywhere
- The vendor's passwords to the entrance to the program are flawed by default, if only because almost all the vendor’s employees know them, and if you are dealing with a web-system in the cloud, it’s easy to get data from anyone. Especially if you also have network security at the level of "not pull out the cord."
- Explain to employees that the password hint in the operating system should not look like “my birthday”, “daughter's name”, “Gvoz-dika-78545-an # 1! in English "or" quarti and edinichka with zero. "
My cat gives me great passwords! He walks on my keyboard
Physical access to cases
How do you organize access to accounting and personnel documentation (for example, to the personal affairs of employees) in your company? Let me guess: if a small business, then in accounting or at the boss in the office in folders on the shelves or in the closet, if large - in the personnel department on the shelves. But if it is very large, then most likely, everything is correct: a separate office or a unit with a magnetic key, where only certain employees have access, and to get there, you need to call one of them and enter this node in their presence. There is nothing difficult in making such protection in any business or at least learning not to write a password from an office safe with chalk on the door or on the wall (everything is based on real events, do not laugh).
Why is it important? First, workers have a pathological craving to learn about each other the most secret: marital status, wages, medical diagnoses, education, etc. This is such compromising in the office competition. And the squabbles that arise when designer Petya finds out that he gets 20 thousand less than designer Alice are completely at your hand. Secondly, in the same place employees can get access to the financial information of the company (balance sheets, annual reports, contracts). Thirdly, something elementary can be lost, spoiled or stolen in order to cover traces in his own work biography.
Warehouse, where someone loss, someone - treasure
If you have a warehouse, consider that sooner or later you will be guaranteed to encounter offenders - the psychology of a person is just like that, he sees a large amount of products and firmly believes that a lot of things are not robbery, but sharing. A unit of goods from this heap can cost 200 thousand, 300 thousand, and several million. Unfortunately, embezzlement cannot stop anything except pedantic and total control and accounting: cameras, acceptance and write-off by bar codes, automation of warehouse accounting (for example, in our Region CR CR CRM is organized in such a way that the manager and manager can see the movements goods in stock in real time).
Therefore, equip your warehouse to the teeth, ensure physical security from an external enemy and complete security - from internal. Employees in transport, in logistics, in the warehouse should be clearly aware that there is control, it works and just that they will punish themselves.
* uki, do not pop into the infrastructure of the hand
If the story about the server room and the cleaner has already experienced herself and long ago migrated to the bikes of other industries (for example, the same went about mystical disabling of the ventilator in the same ward), then the others remain a reality. Network and IT security companies in small and medium businesses leave much to be desired, and it often does not depend on whether you have a sysadmin or invited. The latter often does even better.
So what are the employees here capable of?
- The cutest and innocuous is to go to the server room, pull wires, see, shed tea, apply dirt or try to adjust something yourself. Especially these “confident and advanced users” are ill, who heroically teach colleagues to disable antivirus and bypass PC protection and are sure that they are inborn server-gods. In general, authorized limited access is your everything.
- Hardware theft and component substitution. Do you love your company and put all the powerful video cards to work perfectly billing system, CRM and everything else? Fine! Only cunning guys (and sometimes girls) will easily replace them with a home one, and at home they will drive games on a new office model — half the world will not know. The same story with keyboards, mice, coolers, UPS and all that can somehow be changed in the framework of the iron configuration. As a result, you bear the risk of damage to property, its complete loss and at the same time do not get the desired speed and quality of work with information systems and applications. Saves the monitoring system (ITSM-system) with configured configuration control), which should be supplied complete with an incorruptible and principled sysadmin.
Maybe you want to look for a better security system? Not sure if this sign is enough
- Using your modems, access points, some Wi-Fi sharing makes access to files less secure and almost uncontrollable than attackers can use (including in collusion with employees). And besides, the likelihood that an employee “with his own internet connection” will spend his work time on YouTube, on comic sites and on social networks is much higher.
- Single passwords and logins for access to the admin site, CMS, application software are terrible things that turn an inept or malicious employee into an elusive avenger. If you have 5 people from the same subnet under one username / password, we went to hang the banner, check the advertising links and metrics, correct the layout and upload the update, you never guess which of them accidentally turned CSS into a pumpkin. Therefore: different logins, different passwords, logging actions and differentiation of access rights.
- Needless to say about unlicensed software that employees are pulling to their PCs to edit a couple of photos during working hours or to put together something very hobby there. Not heard about the inspection of the "K" police department? Then she goes to you!
- Antivirus should work. Yes, some of them can slow down the work of the PC, annoy and generally seem to be a sign of cowardice, but it is better to prevent than to pay for with idle time at work or, worse, with stolen data.
- Operating system warnings about the danger of installing an application should not be ignored. Today, downloading something for work is a matter of seconds and minutes. For example, Direct.Commander or Editor Advords, some SEO parser and so on. If everything is more or less clear with the products of Yandex and Google, then here's another picressor, a free virus scanner, a video editor with three effects, screenshots, skype recorders and other “tiny programs” can harm both the individual PC and the entire company network. Teach users to read what the computer wants from them before they call the sysadmin and say that "everything is dead." In some companies, the issue is solved simply: many downloaded useful utilities lie on the network ball, the list of suitable online solutions is also posted there.
- BYOD policy or, on the contrary, the policy of permitting the use of working equipment outside the office is a very evil side of security. In this case, relatives, friends, children, public unprotected networks, etc. have access to the technology. This is a purely Russian roulette - you can walk for 5 years and it will cost you, and you can lose or spoil all documents and valuable files. Well, and besides, if the employee has malicious intent, with the “walking” equipment it is really possible to merge the data as two bytes. You also need to remember that employees often transfer files between their personal computers, which again can create security holes.
- Blocking devices during absence is a good habit in both corporate and personal areas. Again, it saves from curious colleagues, acquaintances and intruders in public places. It is difficult to teach this, but at one of my workplaces there was a wonderful experience: colleagues approached an unburned PC, Paint turned on the whole window with the inscription “Losh Comp!” And something changed in work, for example, the last build was demolished or deleted the last bug started (it was a testing group). It is cruel, but 1-2 times it was enough even for the most wooden ones. Although, I suspect, non-IT people may not understand such humor.
- But the most terrible sin, of course, lies with the sysadmin and management - in the event that they categorically do not use the system of traffic control, equipment, licenses, etc.
This is, of course, a base, because the IT infrastructure is the very place where the farther into the forest, the more firewood. And everyone should have this base, and not be replaced by the words “we all trust each other,” “we are family,” “yes, who needs it” - alas, for the time being.
This is the Internet, baby, there may know a lot about you
The safe handling of the Internet is time to enter into the course OBZH at school - and this is not about the measures in which we are immersed from the outside. This is exactly about the ability to distinguish a link from a link, understand where phishing is, and where a divorce is, do not open attachments of letters with the subject “Act of Reconciliation” from an unfamiliar address, without understanding, etc. Although it seems that schoolchildren have already mastered all this, but the staff is not. There are a bunch of tricks and mistakes that can endanger the whole company at once.
- Social networks are a section of the Internet that has no place at work, but blocking them at the company level in 2019 is an unpopular and demotivating measure. Therefore, you just need to write to all employees how to check the illegality of links, talk about the types of fraud and ask them to work at work.
- Mail is a sore spot and perhaps the most popular way to hijack information, add malware, infect a PC and the entire network. Alas, many employers consider an e-mail client a subject of savings and use free services, in which 200 letters of spam are received per day, which climbs through filters, etc. And some irresponsible persons open such letters and attachments, links, pictures - apparently, they hope that the Negro prince left a legacy to them. After that, the admin appears a lot of work. Or was it intended? By the way, one more cruel story: in one company, for each letter of spam, the sysadmin reduced KPI. In general, after a month there was no spam - the practice was taken over by the head organization, and there is still no spam. We decided this question elegantly - we developed our email client and built it into our RegionSoft CRM , so all our clients also get such a convenient feature.
The next time you get a strange letter with a paperclip, do not click on it!
- Messengers are also the source of all unsafe links, but this is a much lesser evil than mail (not counting the time that was killed by chatter in chat rooms).
It seems to be all the little things. However, each of these little things can be disastrous, especially if your company is the target of a competitor's attack. And this can happen literally with everyone.
Chatty employees
This is the same human factor that you will be hard to get rid of. Employees can discuss work in the corridor, in a cafe, on the street, at a client talking loudly about another client, talking about labor achievements and projects at home. Of course, the likelihood of a competitor standing behind is insignificantly small (if you are not in one business center - this happened), but the fact that the guy who clearly sets out the business case will be removed on a smartphone and posted on YouTube, oddly enough. But this is garbage. It's not bullshit when your employees willingly present information about a product or company at trainings, conferences, meetings, professional forums, or at least on Habré. Moreover, it is not uncommon for people to specifically summon an opponent to such conversations in order to conduct competitive intelligence.
Indicative story. At a galactic-scale IT conference, the speaker of the section posted on the slide a complete diagram of the organization of the IT infrastructure of a large company (top-20). The scheme was mega impressive, just cosmic, almost everything was photographed, and it instantly flew through social networks with enthusiastic reviews. Well, and then the speaker caught on geotags, stands, social. the networks were postponed and begged to be removed, because they quickly got a call and said a-ta-ta. Chatterbox - a godsend for a spy.
Ignorance ... exempts from punishment
According to the Kaspersky Lab's global report for 2017, among enterprises that have experienced cybersecurity incidents for 12 months, one out of ten (11%) of the most serious types of incidents concerned negligent and uninformed employees.
Do not assume that employees know everything about corporate security measures, be sure to warn them, conduct training, make interesting periodic mailings about security issues, hold meetings for pizza and clarify the issues again. And yes, cool life hacking - mark all printed and electronic information with color, signs, inscriptions: trade secret, secret, for official use, general access. It really works.
The modern world has put the company in a very delicate situation: you need to strike a balance between the desire of an employee at work not only to plow, but also to get entertainment content in the background and strict rules of corporate security. If you turn on hypercontrol and debility tracking programs (yes, not a typo - this is not security, this is paranoia) and the cameras are behind your back, then employees' confidence in the company will fall, and maintaining trust is also a corporate security tool.
Therefore, know the measure, respect the staff, make backups. And most importantly - put at the forefront exactly safety, not personal paranoia.
If you need CRM or ERP - carefully study our products and match their capabilities with their goals and objectives. There will be questions and difficulties - write, call us, we will organize for you an individual presentation online - without ratings and puzomerok.
Our channel in Telegram , in which without advertising we write not quite formal things about CRM and business.Source: https://habr.com/ru/post/446480/
All Articles