Network security is every employee's responsibility
By Fawn Fitter
Your people are the first line of defense when it comes to protecting information behind your firewall. This overview of best security practices will help them understand how to meet that critical responsibility.
In Summary:
| • | Every employee needs to think about security every day. |
| • | Safe computing is easier than you think. |
| • | If you suspect a security breach, contact your IT department immediately. It is better to be wrong than to risk compromising or losing vital data. |
Someone is trying to break into your company's network right now — and it's every employee's job to stop it.
Not completely, of course. The IT department is in charge of installing and managing security technologies to keep viruses, scams, intrusions, and other hacker exploits from compromising important data and interfering with daily operations. However, everyone from entry level workers to those in the executive suite is responsible for using those technologies wisely so that they work as they should. Read our guide on how employees can help protect your networks from misuse and attack.
Password protection
Most of us know the basics:
| • | Choose complex passwords containing symbols and numbers as well as letters. |
| • | Change them regularly. |
| • | Never use the same password for two different purposes (although we often do). |
Many of us also have a hard time remembering all those passwords.
Try the following surprising tip from Washington, D.C., security analyst Eric M. Cole, author of Hackers Beware: the Ultimate Guide to Network Security: Whenever possible, make your passwords longer. Unless your systems limit you to a shorter password, choose a string of text 25 to 30 characters long, such as the last line of your favorite song or the first letters of every word in a phrase. For example, an employee might turn the phrase "Now is the time for all good men to come to the aid of their country" into the password Nitt4AGMtc2taotC. A password based on text only meaningful to you will be easy for you to remember, but almost impossible for anyone else to guess.
When memory fails, employees can retrieve or reset their passwords with an application that asks them for identification (for example, the answer to a secret question) and then e-mails the password to their internal address.
Technology can save your employees from needing to remember passwords at all. Your company might adopt a system that saves passwords on a small portable storage device, like a smart card or a USB flash drive. Employees must have and use the device whenever they need to enter a password.
Data safety
An unprotected, unattended computer is an open door to the network, and it only takes a minute to copy or delete a file. Install password-protected screen savers, so that whenever employees leave their desks, data and files will be inaccessible, Cole says.
Increasingly, business software is making it easier for people to practice safe computing, without thinking too much. For instance, the 2007 Microsoft Office system offers many built-in security features, says Katherine Murray, author of First Look 2007 Microsoft Office System. These features allow you to:
| • | encrypt and password-protect files before you store or share them; |
| • | save a file in read-only format so that only you can change it; |
| • | save a file with the print and copy commands blocked; |
| • | embed a digital signature in a file to prove its origin; |
| • | disable macros and ActiveX controls which might carry viruses; |
| • | create a list of Trusted Publishers whose files you know are safe. |
Create policies to guide your employees in using these features. For example, you might instruct employees to encrypt all business-critical files before e-mailing them to an external address, or save final versions of documents as read-only files with the digital signature of the manager responsible for approval.
The basics of backups
Your security policies should also cover data backups. Ask people in your IT department for guidance in setting these standards:
| • | which files individuals should back up on their PCs, and how often; |
| • | which files and data the IT department backs up, and how often; |
| • | the preferred method for desktop backups, such as, CD, server, or flash drive transfers, or an online backup service. |
Many companies store sensitive information; such as customer or financial data;only on secure servers. In this case, employees should not copy that data to any other form of media without explicit permission, says Alan Coburn, managing consultant at DNS, a Microsoft Gold Certified security services firm in London.
E-mail privacy and security
E-mail was designed to move data quickly, not securely. Consider the following guidelines for safe e-mail practices:
| • | Don't follow links within e-mail, especially from an unfamiliar source. Retype the links into your browser. |
| • | Don't click on attachments from unknown senders, especially ".exe" files. |
| • | Delete obvious spam without opening it. |
Desktop programs like Microsoft Office Outlook 2007 include security features to help you manage and protect your inbox, Murray says. For example, Outlook can:
| • | add an electronic postmark to prove your e-mail comes from you; |
| • | block image downloads from all but Safe Senders so spammers can't tell whether your address is "live"; |
| • | block specific senders and send their mail to the Junk folder; |
| • | automatically disable suspicious links within a message; |
| • | disable scripts; |
| • | block attachments from all external addresses, or from anyone not on your Safe Senders list; |
| • | encrypt e-mail so that only recipients with the proper encryption key can read it. |
Security for mobile devices
Safeware, a computer insurance company in Columbus, Ohio, reports that more than 600,000 laptops were stolen in 2004. These expert tips from Coburn and Cole can prevent data loss in case of laptop or device theft:
| • | Set your laptop and PDA to require a password at startup and wake-up. |
| • | Encrypt sensitive data so that only you can access it. |
| • | If you must leave your mobile device in a car, put it in the trunk before you reach your destination so that thieves don't know it's there. |
| • | Equip your laptop with a hardware tracking program such as PCPhoneHome, CyberAngel, or ComputracePlus that e-mails you or your IT staff whenever it connects to the Internet. If a thief uses your laptop to go online, you'll receive a message containing an IP address; which lets you pinpoint the location of the Internet connection. |
| • | Choose PDAs and smartphones that run the latest version of Windows Mobile, and make sure your company is using the Messaging and Security Feature Pack for Microsoft Exchange Server 2003 SP2, Coburn says. With this feature pack, your company's Exchange server will remotely erase the device's data after a certain number of wrong passwords. |
How to handle a security emergency
No matter how cautious your people, accidents happen. Here's what employees should do if the worst happens:
If you lose your laptop or misplace your PDA:
| • | Contact the IT department immediately. |
| • | Describe the device and the applications and data it contained. This will help IT change network passwords and restore your data from backups. |
| • | If you lose a Windows Mobile device, ask IT to use the Remote Device Wipe feature to erase the device the next time it tries to retrieve your messages. |
| • | Call the police. Your computer is more valuable as a source of cash than a source of corporate information, and a thief will probably try to sell it within a few days. |
If you e-mail sensitive information to the wrong person:
| • | Contact the IT department immediately. |
| • | E-mail the recipients and ask them to delete the information. |
| • | Ask your supervisor whether the situation requires that you contact your company's attorney. |
If your computer is redirecting your Web browser, launching programs you didn't install, or otherwise behaving in strange new ways:
| • | Contact the IT department immediately, and describe the problem in detail. |
| • | Follow instructions to remove the virus or other malware causing the problem. You may have to send your computer away for repairs. |
Finally, relax. While security breaches can cause a serious problem, a little bit of attention every day is the best prevention.
Fawn Fitter is a freelance writer in San Francisco, specializing in business and technology. She has written for publications including Fortune Small Business, Knowledge Management, and Computerworld.
