It’s National Cybersecurity Awareness Month (NCSAM) and this week’s theme is Cybersecurity in the workplace is everyone’s business.
I’m a Service Engineer working in IT at Sophos and Naked Security asked me to share my thoughts on the mistakes that the IT people in your workplace secretly wish you wouldn’t make.
Your IT guys and girls will thank you for reading it!
1. Lock your computer
Plenty of people lock their computers when they walk away from their desks, but enough people don’t bother that this one is top of my list.
Remember to lock your computer!
Your screen isn’t meant for anyone else’s eyes so if you’re not looking at it, nobody else should be looking at it either. Nobody else should be using your login either, no matter if it’s a colleague sending a joke email in your name when you go for a coffee or a rogue employee rifling through your stuff for confidential information.
To lock your Windows computer use CTRL+ALT+DEL
and select Lock
, or press ⊞+L
. (That square character is the key with the Windows logo on it.)
On a Mac press CTRL+⌘+Q
(the four-leafed clover key is also labelled “command” ), or press the power button briefly.
2. Loose lips sink ships
The expression “loose lips sink ships” is a phrase used in World War 2 to warn of the dangers of unguarded talk. It works in cyber security too.
It’s easy to leak information by accidentally sending things to the wrong people, saying the wrong thing in the wrong place, mislaying printed documents or leaving meeting rooms without erasing whiteboards.
So, re-read what you’re about to send in emails, instant messages or texts, and make sure that what you’re about to send will go to your intended recipients.
Review files before attaching them – it’s easy to leak sensitive information if it’s in a small section of a much bigger spreadsheet or document.
When you’re talking, be aware of where you’re standing and who is around you. Ask yourself if it’s appropriate to share what you’re saying about sales figures, targets, staffing or whatever else you’re talking about with the people in earshot.
And erase the whiteboard before you leave a meeting room. It’s not just a courtesy for the next users of the room, but a routine precaution that ensures nothing confidential will find its way onto the mobile phone of a camera-happy passer-by.
3. Save regularly
I’m aware of how easy it is to get sucked into whatever it is you’re doing but we can’t protect things that you haven’t saved. Saving things regularly, to the appropriate place – such as network drives – ensures that the data you have is secure in the event that your laptop is stolen.
We’ll make sure your work laptop is encrypted so that your data won’t end up in the wrong hands if your laptop is lost or stolen, but we can’t recover your data if you haven’t saved it somewhere safe and secure where we can keep an eye on it for you.
4. Separate personal and professional
If you use your home email, personal WhatsApp account – or anything else outside the reach of your IT’s policies – for work then we can’t protect you and you’ll be answerable for the consequences.
If you use your work computer, email or phone for personal stuff, for eBay, PayPal, adult websites (it happens), pictures of your kids and pets, or anything else, it won’t be there if you leave the company. As an IT professional the first thing I’ll do after revoking your access is to wipe your stuff, poof, gone!
And, whilst I can assure you that almost all of us in IT are lovely and would never take advantage of the information you’ve left behind there will always be some bad apples. The principle of least privilege applies – we don’t need access to your personal stuff so we shouldn’t have it.
5. Tell us what happened (seriously, tell us everything)
Finally, if you have to report something to your IT department please, please don’t cut down or amend your story. We want to know everything. Something small and insignificant can drastically change the troubleshooting steps we need to go through and even a small detail missed can reduce our efficiency and effectiveness.
We want to know literally everything you can remember before and after an event to build a better picture of what happened. (We will find it eventually and be annoyed you didn’t share!)
We’re on your side, and we’d love to have you on ours – we’re all in this together.
shewrite63
Well #2 isn’t exactly an IT issue, it’s more of a company confidentiality issue with some training in using the technology.
Paul Ducklin
True, #2 affects more than the IT department – but this is about 5 steps that IT wish you would take, and confidentiality is a key issue in security. So solving “loose lips” would make IT at least as happy as any other department in the company, including finance and legal.
Anonymous
Lock \\computer name\c$ even to the IT guys
Paul Ducklin
That might not work as well as you think – IIRC, C$ is a sort-of “magic share” that is set up automatically by the Server service (which exists even on workstations) each time it starts, e.g. when you reboot. So I think that fiddling with C$ will give you a false sense of security – if you want to keep files away even from properly authorised and audited members of the IT team, your best bet is…
…don’t put those files on your work computer in the first place. (Or get a Mac, but I didn’t say that.)
minnie1946
I worked within the legal profession for almost 30 years. Legal documents are sensitive to confidentiality under normal circumstances. At my last legal firm, I was a precedent administrator and then a knowledge administrator. Both roles required legal precedent documents … the IP substance held solely by that firm, and also precedent or example documents from other firms … to be stored on a separate secure database accessed only by precedent or knowledge administrators for the purposes of updating, amending or deleting said documents. The documents from other firms required permission to be added to our database and were locked with a secure password for obvious reasons. Imagine my surprise … no, my shock! horror! followed by anger … when I discovered that some IT “professionals” from one of our offices in another state … at the instruction of a lawyer, who absolutely should have known better … had unlocked some sensitive documents so that the lawyer could use those documents for his own matters. You might say well that is a small matter in the scheme of the bigger picture of security but now, more than ever in this chaotic world of 24/7 cyber space, that we need to be more cautious than ever, as so succinctly pointed out by the author of this article.
I did report this breach, of course, to my own IT department and I believe they were following up but I left the firm shortly after that (not related to this incident) so I have no idea what the outcome was.
Tom K
I normally enjoy NS articles but can you please refrain from clickbait style titles? “5 security mistakes your IT team wish you wouldn’t make – Your IT team will thank you for reading it!” — this is not what one expects from a reputable source.
Mark Stockley
Your comments are respectfully noted. In our defence I should mention that we have a long history of doing articles based on lists of things one or other segment of our readership might want to know. For this one we literally walked into the IT dept, sat down with Sam and asked him to tell us five security related things that would make his life easier if users did them more often.
Anonymous
I’m with Mark Stockly here. The headline says “5 security mistakes your IT team wish you wouldn’t make” and when you read the article, it is an IT guy explaining the 5 secureity mistakes he wants you not to make. Clickbait is when the headline doesn’t match up to the article.
Thanks to Mark for asking Sam Cave the question and Sam for answering it.
Claire Annette Reed
As Anonymous correctly stated: “Clickbait is when the headline doesn’t match up to the article.”
And pray tell, what headline would one expect from an established, highly reputable, longtime respected entity such as the curiously-named “Naked Security”?
Hmmm… how about, “A Service Engineering Professional Contributes to the Weekly Theme of “Cybersecurity in the workplace is everyone’s business” During National Cybersecurity Awareness Month.”
Not a hint of clickbait in THAT compelling headline, my friend!
Paul Ducklin
Technically, even that headline is misleading because the nature of the Service Engineering Professional’s contribution is unstated, so you would need to write:
A Service Engineering Professional Contributes a Summary of Five Security Mistakes your IT Team Wish you Wouldn’t Make to the Weekly Theme of “Cybersecurity in the workplace is everyone’s business” During National Cybersecurity Awareness Month.
In simpler words, “Ask not what Sam can do for you, but what 5 things you can do for Sam”. Actually, that would have been quite a cool headline. (That’s Sam as in “Sam Cave”, not “Uncle Sam”.)
Anonymous
To lock on a Mac it’s SHIFT+CTRL+EJECT… not CTRL+⌘+Q
Paul Ducklin
I haven’t had an “eject” button on my past three Macs – haven’t had a DVD drive to eject anything from :-)
Assuming you have macOS, rather than an un-updated old flavour of OS X, try clicking on the Apple icon in the top left corner. You should see a list of handy utilities, including Sleep..., Restart..., Shut Down..., Lock Screen and Log Out....
The documented shortcut for the lock screen is Ctrl+Wacky+Q. Shift+Wacky+Q will log you out instead. (“Wacky” is the name I use for the cloverleaf key, also known as the command key.)
At any rate, Ctrl+Wacky+Q locks my Mac instantly. Very handy.
George Handlin
Funny that item #2 says to reread – you should reread paragraph 3 and correct the typo. :)
I stress #1 & #4 to people all the time.
Mark Stockley
Nice work! Fixed, thanks.
Trace
Like the way this was wrote, made me smile on a wet Monday morning.