It is generally agreed that businesses (and schools, sporting teams, political parties, etc) need to have a clear social media policy and ensure the policy is understood by everyone. That is no small task as we constantly witness examples of people behaving badly in the mainstream media. Social media is such a rapidly expanding domain that the policy needs constantly to be revised to ensure it remains current and relevant. That is a good thing to put down on your check-list for year’s end or year’s start. The risk in this area is, however, much broader.
The new tools/toys
Smartphones and tablets are now pervasive in the business world. Part of the reason is that people use these devices to manage every aspect of their personal lives, as GPS devices to navigate in their motor vehicles or on walks, to download video and music and so on. The logical extension has been that today’s generation want these indispensible tools in their working lives and companies must find ways to fit them in their IT security framework.
Why? Smartphones and tablets can pose security issues for any business: and not just to the business but also to any customer or business included in the data stored on those devices.
Threats such as Trojans, which attack and exploit software vulnerabilities that have not been ‘patched’ on system endpoints such as these devices, rogue security applications, viruses, spyware, worms and phishing attempts are all threats that apply just as much to these nifty and convenient devices as they do to the standard computers located in your offices.
A short time ago, it was pretty much unthinkable that commercial information, let alone sensitive commercial information, would makes its way onto an employee’s personal device, as they are often not covered by endpoint security. To achieve this would require each computing device on a corporate network to comply with certain standards before network access is granted. Logon would be via a gateway that hosts the network security program and at logon the device would be scanned to ensure that it complied with the security standard before entry was permitted. If the use of smartphones and similar is allowed but not managed in a security sense, quite simply the business has lost control of its own information.
Passwords
We are all ready to concede that data theft and identity theft is a real risk today. So, the first place to look and see if all is well in our world is the area of passwords. SplashData has produced a list of the most common passwords used on the internet . The list is compiled from files containing millions of stolen passwords posted online by hackers. It records 24 of the ‘worst passwords of 2012’, but we will just list the first five here – they illustrate the point graphically!
1. Password (it was in first position in 2011 and will probably be in 2013)
2. 123456 (held second place also in 2011)
3. 12345678 (a more sophisticated attempt than #2 but also third in 2011)
4. abc123 (a genuine alphanumeric attempt!!! Up one place from 2011)
5. qwerty (inspired! Down one place from 2011)
We all know the rules. Passwords should be of eight mixed characters or more – that includes letters, numbers, upper and lower case and symbols or punctuation marks. Why is sloppy practice allowed to continue indefinitely? Ultimately, that is a question for all managers. If you don’t value the commercially sensitive information of your business, why are you working there? If you do value it, why would you condone its leakage under your very nose? The answer is compliance with your IT security standards and the person who ultimately enforces those is – you.
Investigative issues
It is quite critical that you decide, as a manager, whether the company issues and owns the piece of equipment or whether employees are allowed to bring their own on the understanding that apps will be provided that enable access to business critical data without that being stored on the device. The unaffordable situation is where there is no direction and people make their own arrangements. The thought that this might save the business a few dollars in equipment outlays is swamped by the risk that is being needlessly embraced. So, information security policies need constantly to be revised to ensure they are as current as the technology being employed. We have not even addressed the risk of large screen smartphones or tablets being viewed by others, when employees decide to do some work on the bus, train or plane.
From a forensic accounting viewpoint, the technology in some smartphones is changing so rapidly that a real challenge is presented to those tasked with investigation of a major leak. Previously, mobile phones had a telephone address book and a bank of SMS messages that had not been deleted. Smartphones may contain gigabytes of data – much of it potentially yours! They will play an ever increasing role in your business, but the risk exposure, as always, needs to be recognised and addressed.
Everyone’s a reporter
Smartphones and social media allow people instantly to share any ‘oops’ moment in their own or another’s life. With the approaching end of year festivities, there will be plenty of people who will engage in behaviour that may be regretted the morning after or when sober. The temptation will always present itself to snap friends or yourself in moments of high celebration. The risk starts entering this world when you post them on Facebook or send them 150 ‘best friends’ or someone posts images of you. Somewhere a copy of the image and your identity will be preserved, no matter how much deleting takes place.
A year or two later, these same people will be applying for different employment, submitting themselves for a security clearance to join some part of Government service or seeking a promotion in the public sector. One of the obvious pieces of data-mining that anyone conducting a background search on such a candidate will undertake is to trawl through the various social media. Indeed, some firms maintain a watching brief on social media in case any of their employees surface in undesirable circumstances.
If you don’t want the whole world to share your moment of embarrassment or stupidity, don’t take the picture. If you cannot resist the temptation to make the moment indelible, do resist the temptation to demonstrate to the world that you are a goose by sharing it. And remember that whatever you SMS, email, post or tweet is forever part of your personal profile and employment portfolio – because nothing is ever completely deleted. Now, that’s a sobering thought!
Gerard Walsh
Gerard Walsh is a business risk and resilience management consultant with over 25 years security experience, including Corporate Security with global responsibility for AMP and former Deputy Director-General of ASIO.
All reasonable care has been taken in the research and preparation of this assessment. However, G P Walsh & Associates (GPW) is not responsible for any non-disclosure by the client, its agents or contractors or by government websites, regulatory authorities or other persons GPW has interviewed or consulted in the preparation of this assessment. By commissioning a report, the client acknowledges all such reports require accurate information to inform the detailed assessments and GPW is neither responsible nor liable for any omission or error in its reporting, unless professional negligence is proven. Furthermore, no such inquiry is definitive and GPW can only make an assessment for further consideration of its clients.