Friday, May 9, 2014

A Case for Employer-Provided Security


image source: http://brandflair.com/
Each year, more organizations are choosing a new approach to information security. With the growing popularity of “bring your own device” (BYOD) in companies, security administrators are encouraged to provide additional security training and services to employees for their personal devices and networks.

One common technique for professional hackers is to infiltrate an employee’s personal computer and network in order to get ideas for passwords or information for social engineering pretexting. For example, if a social engineer learns that a target is an avid fan of the more finite aspects cocker spaniel breeding, they might visit dog parks near the target’s home in ord
er to build a relationship with them. Although this example might seem slightly far-fetched, it is little things like this that can lead to the compromise of organizational networks. When common interests are found, targets often let their guard down.

Some organizations have opted to provide antivirus software and subscriptions to their employees, in hopes to minimize risks associated with remote employees and home teleworkers. Military service members have taken advantage of such services for several years, while other public and private organizations have started to follow suit. Let’s face it – in order to remain competitive in the workplace, employees are often forced to complete some job functions from home. Some of these functions include checking and responding to work email and creating documents. These emails and documents eventually make their way back onto the organizational networks, presenting another avenue of approach for attackers and malware.

I believe that organizations should take an additional step in training their employees on aspects of personal network security. Topics like secure wireless networking, patch management, and computer account best practices should not only apply to the workplace, but also to any other systems that employees use to do their job. BYOD organizations should treat all employees as if they are remote workers, providing all the previously mentioned services and training as well.

Of course, these suggestions are only one man’s opinion. What do you guys think? What has your organization done to help employees to be more secure at home, or have security awareness and services been focused on workplace information and information systems, alone?

Steve P. Higdon has been working in the information security field for over ten years, providing support and consultancy to several public and private sector organizations. Steve holds several industry certifications and can be reached via email at infosec@stephenhigdon.com and on Twitter at @SteveHigdon.