Budgets are tight everywhere this year. It's tempting to put off investing in security because "we just can't afford it now." That's a risky strategy at any time but worse, it's largely an unnecessary attitude. There are many things you can do to improve your security posture that don't cost cash. They do cost your time and attention, though. Make fixing these common mistakes a priority.
- Walk around your office some night and see how many people keep their passwords on sticky notes right on the computer monitor. Keeping track of passwords is hard. But writing them down and leaving them out for every casual visitor or after-hours maintenance person to see is inexcusable.
- While you're walking around, see how many people left sensitive documents on their desks. Make sure that sensitive documents, especially including anything with an SSN or Drivers License Number on it, is put away at night. If you absolutely can't implement a clean desk policy in your office, at least flip over the top page in the stack to reduce the temptation to snoop.
If you allow the use of thumbdrives in your environment, make sure you watch for them, too. Thumbdrives are high risk devices - very easy to steal.
- Make sure people keep their access cards with them at all times. Access cards are your credentials. If they fall into the wrong hands, the bad guy effectively is you. He/she can do anything you can do and you will get the blame. Access cards should be protected as carefully as the data they protect. (And, by the way, neither under your keyboard or in the top right drawer of your desk is a safe place to keep them. Thieves know to look there.)
- Prevent tailgating and make sure your visitors are escorted. Challenge unknown people - politely but directly. Don't assume that just because a person is in your area that they have a right to be there.
- Remember the fax and the printer. Countless sensitive documents get overlooked and often forgotten or lost when we send them to the printer. Make sure you have internal control and that documents get picked up immediately.
In other news, this will be my last tip for a while. Westfield has asked me to take on some new responsibilities within our Legal department so some of the other members of the Information Security team will be stepping up to the publication of these tips. Writing the tips has been a lot of fun. I hope they have been helpful to you. Stay safe.