Alexey Parfentiev, Senior Business Analyst, SearchInform
Once we’ve conducted a research, which aimed to obtain, if employees in various companies are acknowledged with information security rules. Among others, there was the following question – “would you share your login/ password with colleagues while you are on a vacation?” Only 6% of respondents answered in the affirmative. This number seems encouraging, but it’s important to understand, that usually people tend to give ‘correct’ answers in the test in order to seem a bit ‘better,’ than they are in the real life. So, what’s the situation like in real life? In fact, people often are not only ready to share their passwords, but they sometimes make notes, in which they write down all the information on a paper beforehand and leave these notes in places, where these papers will be definitely found. The reason for that is very simple and understandable: people just want to be left alone during a vacation.
isky. On the contrary, this is believed to be a responsible approach – employee has thought about partners and clients in advance. But in fact, it’s only self-deception. There are lots of cases in our clients’ practice, when such kind of ‘generosity’ has lead to disclosure of information. What’s more, less frequently, but still not so rare, access to other peoples’ accounts is used for real ‘setups.’
In order to avoid such situations some information security specialists prefer to react in a radical manner. With the help of special software they block all processes on employee’s computer during the vacation time, in case the person, who logs into the account, isn’t the account owner. This method in modern business-circumstances is too strict, that’s why it’s better to control, than to block.
The question arises, what is required to do, before employee may start a vacation?
Case study
Information security specialists detected suspicious activity on the computer of employee, who was on a vacation at that moment. It was found out that before the vacation, the employee gave access to his account to his colleague ‘just in case.’ According to company’s internal regulations such ‘password transmission’ was strictly prohibited. Some confidential data was stored on the employee’s computer, and in case of leakage, there was a high probability, that company would have experienced serious financial and reputational losses. Luckily, data leak incident didn’t occur, and the careless employee had to face a serious conversation.
Make sure, that access system is configured appropriately
‘ Appropriately’ means, that some particular employee can obtain info only in his/ her part of information disk, CRM base and tasks, line manager – his/ her own and department employees,’ CEO – all employees.’ In this situation employee simply doesn’t have to share account info with colleagues. All employees, who may need this particular employee’s documents, and who, at the same time, have enough powers to work with them, have access to the documents.
This piece of advice may seem obvious, but in fact, access hierarchy is not set up appropriately in many companies. This results into arise of emergency calls with the request to ‘urgently send login/ password.’
Make sure, that employee hasn’t ‘shared’ information in advance
In order to be able to work remotely, many workaholics try to provide themselves with all necessary information and accesses. The tricky moment is that public cloud and free private email, as well as flash drives, which are the most popular storages of transferred information, don’t provide secure way of data retention. ‘Timely’ storages are usually forgotten quickly, and confidential data may be stored in the clouds for ages without real necessity and without appropriate level of security esurance. What’s more, users often even forget to block public access to them, don’t care about data encryption. This situation was depicted with the incident with massive leak from Google.docs, which took place last summer. Internal instructions, documents, containing passwords and reports (including ones of very well-known brands) were published on the Internet. So, any form of corporate posture in public services should be prohibited in the company, and info, addressing this forbiddance, should be explained to the staff. Facts of deliberate leaks are easily detected by well-developed DLP-systems.
Ensure security, if employee has to work with corporate info using unverified Wi-Fi hotspots
Some employees have to take a corporate laptop with them during a vacation. It’s crucial to ensure, that the employee won’t have to worry about internet-connection security. In order to deal with this task, use VPN. IT-service staff should be ready to set up VPN, thus, employee will have the opportunity to work outside the office without risk of exposing data to danger.
Make sure, that no one logs into employee’s account
This may be implemented in different ways. First of all, IT-specialists may block employee’s account during the vacation time in active directory. This way has one drawback – even legal access will be banned too. Some say, there are companies, which organize vacation for the whole team during the period of summer decrease in business activities. However, this is a really exotic situation. Most companies can hardly stand pause in business-processes for such a long term.
Another option, which is more efficient, is to set two-factor authentication, when apart from usual ‘login + password’ system requires something else, for example, code from SMS. Nowadays, two-factor authentication function may be added to practically all modern services, including CRM. This measure helps to be more sure, that the account owner is the one who logins in the account. In case this employee has a temporary deputy (we mean that deputy is in charge during his chief’s vacation), deputy’s phone number may be added to the CRM-system. In case something suspicious or illegal happens, it will be possible to identify the violator by monitoring of ‘logs in.’
Still, it’s not a 100% guarantee, because employee may be very creative. In this relation, more advanced software product – DLP-system may help. This system may be configured the way it takes photoshoots via web-camera during each authorization in the account. This means, that even if employee has broken the rules and told his login and password to his colleague, this fact will be captured with photographic accuracy.
Case study
Information security specialists of our client’s company identified, that on one employee’s hard drive some important files, to which he didn’t have access to were stored. That was a strong violation of company’s internal regulation, which required immediate investigation. It was found out, that on this employee’s PC special software for remote access was used frequently, however, it wasn’t required at all in his working process. Investigation, carried by information security staff revealed that the employee, suspected of violations, didn’t even know about the files, stored on his computer. It turned out, that the real violator was company’s technical specialist, who used the computer as temporary ‘storage’ before sending confidential data to third party.
Despite information security related issues, there is one more aspect, which makes establishing of all these processes of big importance. In our current circumstances, people rarely have a vacation, which is really a 100% vacation. According to OneTwoTrip survey, half of employees continues to work during the vacation. They have to do it because of regular questions, phone calls and emails from colleagues. As the result, employees tend to be tired and annoyed after the vacation, and problems with security arise. Consequences are more serious, than they seem to be. For example, the WHO has recognized burnout at work as a disease. So, adjust all processes so as not to twitch yourself and provide employees with a break.
