I was reading an article in Risk Management Magzine “An Increased Remote Workforce Calls for Increased Cybersecurity Protection”. Though article was offering right advice the approach was not proper.
Let me explain.
It states “..employees can help protect company confidentiality by: connecting to a corporate network through a VPN (virtual private network); using strong, unique passwords and multi-factor authentication; and operating on encrypted Wi-Fi connections only.”
A simple solution would have been to configure your system to enable multi-factor authentication, enforcing password complexities, length and history. Also configure your system to reject any connection which does not come via VPN. You don’t have to rely on the employees.
While it offer good advice “Employees should also be cognizant of who—or what—might overhear private conversations. Employees should consider their surroundings and the possibility that someone could be listening to a conversation “It then states “Equally important, they should also consider any voice-controlled smart speaker devices, such as Alexa and Google Home. To best protect company confidentiality, smart device microphones should be disabled and lockout features should be turned on after a short period of inactivity.”
Every smart phone have Smart assistant like “OK Google”, SIRI, alexa. And they work based on always listening. A better advice would be to not to talk any confidential information over phone.
It states “..It is also helpful to focus on further educating employees and requiring them to strengthen security settings and firewall configurations.”
As a CISO you are not going to allow your employees to Configure security settings and firewall configurations.
You can read the full article here.
We should always follow the principle of KISS (Keep It Simple and Stupid) if we want to have sustainable controls.
Also it will not hurt to invest in Information Security Awareness program and guidelines.It take very little efforts to create IS security awareness kit. Companies should create Information Security Awareness program and share DOs and Donts with Employees.
Call for action:
Inputs/ comments/ suggestion: I welcome inputs/ comments / suggestions from readers on how to approach this issue. Feel free to correct me, educate me.
Share the Article: If you like it, share it. If you share it with others, and they comment, we all will get more learned.
(Disclaimer: The views expressed constitute the opinion of the author and the author alone; they do not represent the views and opinions of the author ’s employers, supervisors, nor do they represent the view of organizations, businesses or institutions the author is, or has been a part of.)
