Why you need a security policy

By: John Sollars

Date: 21 July 2011

Not a secure way to store passwords. (Image: Nina Matthews Photography on Flickr.)

News just in. Your computer system has been broken into! Yes, your impregnable firewall, amazing anti-virus and 99.9% secure password have all been breached. How could this be? Step forward your company employees.

Recent studies have compounded old research highlighting the astounding ignorance and negligence of employees when it comes to security. Read on to see three ways your employees can undo all your investment in security, and to find out where you may be at risk.

Strangers in the office

A Computer Weekly survey reported that only 4% of employees would challenge a stranger walking into their office and sitting down at a computer. What's more, only 3% would actually ask them for identification.

I'd hope those figures would be higher in smaller businesses, where it's more common for everyone to know everyone else who works there. But it still demonstrates why you need a system of identification of authority - like ID cards - in the office.

Passwords are key

Password security is another key aspect. Aside from the oft-discussed need to use upper and lower case letters, numbers and other random symbols in passwords, it’s how your employees remember logins that can fall short.

A common approach is to write passwords on post-it notes, then stick them under phones or keyboards. Worse, some people stick them in plain view. This gives any intruder a reasonable chance of gaining access with no tools or knowledge of your systems.

One reason passwords are such an issue is that people don't see them as being particularly valuable. One survey found 90% of commuters were happy to exchange their passwords for a free pen!

Sure, some passwords may have been fakes to get a free pen. But the statistics still show a lack of understanding about the damage even a low level user’s password can do in the wrong hands.

Approve all hardware and software

A Valentine's Day study provided random workers with CDs, claiming they contained a promotion to win a romantic holiday. In reality, the CDs sent people to a website promoting security.

The point of the exercise was that the people behind the CD were able to run unauthorised software on computers situated within a company's IT system. According to the study, 75% of people ran their CD.

And a more recent study by the US Department of Homeland Security involved leaving unmarked pen drives and CDs in company car parks, then letting curiosity do the work.

Again, no malicious code was run, but the potential for wrongdoing was there. CDs and pen drives were inserted by 60% of people. If the CD or pen drive had a logo on it, that figure rose to 90%. Scary stuff.

Get your security policy right

I hope these stories have opened your eyes to how even the simplest, most innocent notions can compromise your company’s security. Have you been hit by negligent employees? Do you think you’re at risk? Leave a comment below to let us know.

John Sollars is MD of Stinkyink.com

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.