Holiday season is over, and hopefully everyone had a decent rest and some well-earned time of peace and quiet.<\/p>\n
Now, we\u2019re back to work. For the first 2016 Kaspersky Business blog post, we\u2019ve chosen a topic that may sound a bit too hortatory: Commandments of Office Security. It\u2019s actually a\u00a0handful of common problems with cybersecurity in the workplace, and the ways to solve \u2013 or at least mitigate \u2013 them. This is not a complete list, of course, as there are many more issues. Let\u2019s take a closer look.<\/p>\n
Case one: somebody knows worse<\/strong><\/p>\n It isn\u2019t Alice\u2019s job to watch out for cybersecurity. \u00a0She\u2019s the CFO in a medium-sized firm, but she\u2019s learnt to be cautious long ago, and is very good at recognizing\u00a0phishing letters from the legit ones.<\/p>\n When a message ostensibly from the IRS hit her inbox, Alice felt her suspicions rising. Although everything looked okay, there was something a bit sinister with the date \u2013 out of cycle, too early.<\/p>\n Anyway, it was late evening, past working hours already, so checking out the source wasn\u2019t an option. Alice chose not to open the attachment until she could ascertain the source \u2013 i.e. until the next morning.<\/p>\n Too bad she had to be OOO the next day. And her assistant tasked with handling the boss\u2019 emails while she was away, was\u00a0a much-less experienced person \u2013 and fell for the trick.<\/p>\n A few recommendations on the cybersecurity of the #workplace<\/p>Tweet<\/a><\/blockquote>\n The breakdown<\/strong><\/p>\n This scenario may seem a bit far-fetched, but it is not necessarily. It was Alice\u2019s mistake (or, rather, a result of a faulty security policy in the entire company) that the wrong person was tasked with handling executive emails. Executives are among the primary targets for phishers<\/a> and APT<\/a> actors.<\/p>\n Education of the staff against phishing is a highly recommended proactive security measure. As is the deployment of an automatic anti-exploit system such as Kaspersky Automatic Exploit Prevention<\/a> solution. It wouldn\u2019t let the exploit through.<\/p>\n Case two: Let the guest remain the guest<\/strong><\/p>\n Jerome wasn\u2019t expecting anything bad from a friend visiting him in the office shortly before the end of the day. The friend asked if there was\u00a0WiFi available for his tablet, and Jerome handed over the password to the company\u2019s internal network. It turned out the friend\u2019s tablet wasn\u2019t secure and clean\u2026<\/p>\n The breakdown<\/strong><\/p>\n This is why\u00a0guest networks exist. Jerome has definitely violated the company\u2019s security policy by allowing a stranger inside the network. Even if a stranger didn\u2019t mean any harm, the malware sitting in his devices did.<\/p>\n The guest network should be totally isolated from the internal network, and data exchange between them should be very limited and strongly controlled. Otherwise\u2026 well, hopefully, removing the Android malware that slipped from the guest\u2019s device into the internal network wasn\u2019t much of a big deal.<\/p>\n Case Three: The bird of prey carried something away<\/strong><\/p>\n Chuck has never been good at fighting, especially if outnumbered in a dark alley late at\u00a0night. Thugs got away with Chuck\u2019s smartphone, Fortunately, his health was damaged much less than his ego. But there was yet another reason for his anxiety: the smartphone contained certain working files that weren\u2019t supposed to fall into the wrong hands. And that is exactly what happened.<\/p>\n The breakdown<\/strong><\/p>\n Depending on whether the smartphone was \u201cregistered\u201d with the company\u2019s IT staff and the appropriate measures<\/a> are deployed, the problem is either huge or almost non-existent.<\/p>\n If the smartphone is armed with the corporate security solution<\/a> and anti-theft tools, the device will be soon retrieved, or sensitive data wiped off remotely, or, in the worst case, the criminals will be left with a useless \u201cbrick\u201d in their hands before they are going to sell it.<\/p>\n Otherwise, the repercussions may go far and wide for the entire company. The chance\u00a0that Chuck was not a random victim, and the thugs were really going after his smartphone specifically are slim. Such a scenario would fit in a spy flick like \u201cMission: Impossible\u201d, but even more outlandish things happen, so discarding such situation would be unwise.<\/p>\n With BYOD every user and every carrier of the work-related data becomes the network endpoint and as such requires protection, which can only be provided if the IT staff is aware of the existence of these \u201cendpoints\u201d \u2013 first and foremost personal devices used for work.<\/p>\n Case Four: A yellow sticker and webcam<\/strong><\/p>\n Passwords, passwords, passwords. A damning number of them have to be memorized over the course of everyday work. It is such a temptation to use just one or a handful of similar ones, or to write them all down on a sticky note and keep it nearby.<\/p>\n That\u2019s what Andy did. On the wall there is a handful of yellow stickers with multiple arcane, hard to break, impossible to guess combinations of symbols, letters, and digits.<\/p>\n When these passwords were used by the cyber-intruders to wreak havoc in Andy\u2019s company network, he was knee-deep in trouble. Eventually, investigators found out that those stickers were photographed with a nearby laptop\u2019s web-cam.<\/p>\n The breakdown<\/strong><\/p>\n Passwords aren\u2019t something to be shown for all to see. Even though it may seem that nobody guesses which password belongs where, leaving them on the plain sight is as unsafe as sharing them in plain text via e-mail, for instance.<\/p>\n And the safe approach? \u2013 A good password manager<\/a> that will have you remember just one master password.<\/p>\n