Users: The weakest link in laptop security
Is end user training still an optional luxury?
Reg Tech Panel If you ask the average business person who is responsible for the security of data held in computer systems, the chances are they will point to the IT department. After all, it's all about passwords, keys, firewalls, locks on computer room doors and other systems-related perceptions they have picked up without ever really having thought about it.
OK, we might be doing some business people a disservice here, but when a breach occurs, it's never very long before IT's phone starts to ring.
At the same time, it never ceases to amaze IT people, particularly those in support, how irresponsible some users can be. No one reading this needs a lesson in the risks that irresponsible or thoughtless user behaviour represents, but when it comes to laptop usage, it focuses the mind to see some of the common exposures listed together:
- Leaving equipment unattended, on view and wide open to theft in cars, coffee shops and other public places.
- Bringing sensitive information up on screen for anyone in close proximity to read when sitting on the plane, train, etc.
- Having everything set up to automatically log in to systems and websites with usernames and passwords saved locally. Break into the machine, and you're into everything else.
- Letting someone else 'borrow' their laptop to get online for a few minutes to check their email.
- Letting the kids play on their PC, load dubious software from dubious sources, and access dodgy sites on the internet.
- Loading dubious software from dubious sources, and accessing dodgy sites on the internet themselves!
- Disabling or working around security measures implemented by IT because they're inconvenient and slow things down.
- Connecting to any wireless network available without any thought about who owns it and who else might be on it.
These are just examples, and I am sure you can think of more.
The obvious one we haven't mentioned is the minefield created by the ease with which information can be copied and exchanged via removable media such as USB keys. Mobile users with laptops are particularly prone to exposure here, as they typically interact routinely with more external people with whom they are likely to want to share information. Apart from the risk of sensitive data ending up in wrong hands, there is always the chance of picking up malware from others’ devices that the user plugs into their own machine.
The reality is that the weakest link when it comes to mobile security is the user, not the technology. So how do we deal with this?
Well, putting some policies, procedures and guidelines in place is an obvious place to start if they don't exist already. However, Reg research conducted a while back (pdf) in relation to mobile working in general suggests that this itself isn't enough.
The feedback we received showed a strong correlation between the proactive training of users and their attitude and awareness with regard to security. Organisations who implemented formal classroom based training in particular stood out as having a much higher degree of confidence in their workforce:
With this in mind, we are interested in your experiences of dealing with the 'human factor' when it comes to laptop security. Examples of less than intelligent behaviour, views of the most common areas of exposure that exist and, in particular, experiences from things you have tried or implemented that have worked or otherwise would be interesting to hear.
If you have any thoughts about where the buck stops on this issue - with IT, HR, business managers or even users - then your feedback on that question would be interesting too. So, let us know what you think in the comments below. ®
@AC "Enough Already"
"Laptops are not securable."
Of course they can be, silly ... This one is. But then, this user knows what he is doing.
"Stop with the nonsense already."
Ain't gonna happen. Can't sell advertising without entertaining the GreatUnwashed.
Got a new works laptop, locked into user mode, instead of having a password that I can remember, have to change it for a different one each month, so month one is Password01 then Otherpassword02 etc then back to Password01 as advised by the IT department
Backups ? - got this great utility that backups all all data to the server, great if in the office, but over a vpn shared with 100 other users ? not a chance, so backed up when in the office every 2-4 months and onto usb stick when can be bothered
This is then transferred onto personal DVD backups, not secure, but way it goes....
Being a user myself
I'm more fed up with stupid management policies and even worse stupid IT developers that insist on every damn application at work requiring a different username and password before I can use it. I think I'm currently at 15 combinations and its growing - I'm only a mere mortal too so don't have access to all the systems. Even the damn intranet needs me to login as it doesn't check who I've just logged on the network as.
As for laptops and VPNs well sometimes it just has to seen to be believed. We run two types of VPN access depending on whether you are connecting over broadband/wifi or via dialup. The dialup uses SecureID tokens to authenticate. The other one however is just a username and password - its not even a locally set password but dished out from IT, and to make it worse we all use exactly the same password.....
Black helicopters coz frankly we aren't paranoid enough
Educating users doesn't work...
...if there's no penalty attached or you aren't allowed to enforce it. HR drones can usually find a way to get the user off with just a warning if it's someone's golden boy who is the offender yet could manage to dismiss someone for farting in the wrong key if their face doesn't fit.
the reason to can put multiple pepol in to is there are times I need to see who else it was set to for example a email about problem spreading over our mobile vpn and accounting system I need to see it has been sent to just me (vnp) or me and our accounting systems expert and if not I need to email him