No matter their job title, business department, industry knowledge, computer savvy and/or exposure to security training, end users are the second-weakest spot in every organization's security fence. They are bested only by one subgroup of employees -- remote workers.
Think of the person who works in a satellite or branch office, perhaps with just one or two other employees. Think of the person who works three days a week at corporate headquarters and then travels with his laptop or telecommutes on other days. Think of the countless salespeople working from hotel rooms, airport gate areas, customer sites and Starbucks shops. These are the people who cause security managers to lose the most sleep.
1. Be aware that almost every data decision has a security implication
Security awareness training typically occurs on an annual basis, yet remote users make hundreds of security choices every week in the course of their work, says Carol Suchit-Hudson, director of citywide security for the New York municipal government.
For example, should they pop into the corner coffee shop and hop on its wireless network to answer an urgent e-mail? Or if their flight is delayed, should they use that extra hour to work on that customer spreadsheet?
IT's response: One of the best ways to ensure that remote workers make the right decisions is to offer them more frequent training coupled with periodic security reminders that are tailored to the way they work.
"The appropriate step is to tweak your education program based on the type of user," says Suchit-Hudson. That means using real-life examples and anecdotes. "No one wants to sit through training that isn't applicable to their needs," she says.
2. Your children aren't afraid to download
"Mom, can I use your computer to check online for my homework?"
Answering "yes" to this question -- as many parents do -- can open the gates to security hell, experts say. "Letting kids and others download programs and data of unknown origin onto their machines is one of the biggest worries we have for telecommuters," says Matthew Kesner, chief technology officer at Fenwick & West.
IT's response: Even the most Draconian of usage policies won't end such incidents altogether. Instead, try appealing to users' self-interest, Kesner advises. If a user has downloaded an unauthorized program or left a wireless connection open after working at home, it will really slow their computer down, he notes. "That's how we message it," he adds. One more tip: Regularly monitor users' hard drives.
3. Be a responsible gadget geek
BlackBerries, flash drives, mobile phones and handhelds frequently contain critical corporate data, yet most users treat these relatively low-cost devices far more casually than laptops.
IT's response: "Our rule is, if we don't own it, you don't plug it into our network," says Chris Blake, workstation administrator at The Benchmark Group, an architectural and engineering firm.
Another option is to instead have users upload and download data from the server and to encrypt all data transmissions, he says.
4. Don't forget it -- shred it
Paper may seem quaint in our increasingly digital world. Yet, it's actually quite dangerous if tossed around carelessly, says Darryl Lemecha, CIO at Vertafore, an insurance software and services company. "Dumpster diving remains a common way for thieves to get information," he says. "People have become quite accustomed to shredding at work, but there are still individuals who work from home who are without a shredder."
IT's response: Shredders for all. And they should be cross-cut shredders, so thieves can't piece back together documents that have been torn in only one direction.