Earlier this year, we talked about the Wannacry and Petya ransomware attacks and the part that human mistakes play in their success. There, we focused on the importance of making system updates a priority. You can read that article, here. This month, we’ll explore other “computer control” missteps that invite cyberattacks and system infections.
- Inappropriate or missing administrator controls
With Wannacry, the biggest source of infection was non-IT personnel with local administrator rights. When security experts dug into the infections, they discovered these individuals were making deeply flawed decisions for the sake of convenience, such as disabling security solutions to accelerate PC performance.Non-IT personnel should never have administrator rights to any computer on the corporate network. Yet, in many firms, they do. Some companies don’t restrict administrator rights on any of their computers, especially those that are running older versions of Windows (where administrator rights may be turned on by default). This approach puts company systems, networks and assets at extreme risk.
- Supporting personal devices on the corporate network
If organizations allow users to log onto the corporate network with their personal devices, they must ensure the devices are also appropriately secured against intrusion, and that is a tall order. All it takes is one infected app download to open a back door straight into the heart of the corporate network.Nevertheless, there are times when personal device usage is beneficial and even necessary for some companies. The best approach is to implement a mobile device management solution and require all personal devices to be managed by it.
- Allowing employees to use the corporate network for personal tasks
Not only do personal activities such as sending/receiving personal email or streaming videos (hopefully, during breaks) draw network bandwidth away from corporate tasks, they also represent one of the top sources of vulnerability. Yet, many organizations think it’s OK to let workers access the network for personal reasons as long as they do it on personal time.What should business owners do? Tracking employee Internet activity is one solution, but it tends to put damper on morale and it’s not proactive. (It’s like reviewing security camera footage after a theft—it’s informative, but it doesn’t prevent the crime.) A better plan is to establish a separate “guest” network for employees and visitors that is completely segregated from corporate systems.
Finally, all aspects of technology usage in the workplace should be clearly outlined in company policies, and they should be consistently communicated and applied across the board. Don’t assume your more tech-savvy personnel automatically follow the rules.
I have personally helped repair damage to systems caused by employees setting up private (rogue) Internet routers or breaking into the network with personal devices for after-hours video streaming. I call these folks “Gizmo Guys and Gals.” Their tinkering can cause damage that requires thousands of dollars in repairs, even without a cyberattack.