FRAMINGHAM, 8 MARCH 2011 - The new working professional is always connected, and increasingly, the office is Starbucks (SBUX), an airport, or home. With new flexibility comes new IT security risks for businesses. Basic defenses like antivirus are important, but not enough to keep corporate data from the increasingly sophisticated hacker.
How can mobile workers better protect information while they're outside the office? Here are 9 tips to keep employees (and corporate data) safe outside the office:
Tip 1: Use laptop disk encryption
One of the first lines of defense is to secure data that sits on a laptop's hard drive to make it unpalatably difficult for attackers to retrieve data from a device that slips out of an employee's control. As more personal laptops have entered the work ecosystem, disk encryption has become increasingly important. Without properly implemented encryption, a password is just a polite request for an attacker to not access data.
Tip 2: For laptops, set boot order and password in the bios
Most people have their Windows accounts locked down, but what about the BIOS? The first thing a seasoned attacker will try to do is boot from something other than the hard disk (USB stick, CD, etc.) and poke around. There are a few techniques to make this more difficult. One is to put the hard disk first on the boot list in the BIOS and then password protect the BIOS to stop someone from changing it. If an attacker has stolen the laptop, they can still take more drastic measures such as removing the hard disk (but hopefully it's encrypted --see Tip 1 above). Changing the boot order will make it more difficult for an attacker that has brief access to the machine.
Tip 3: See what it takes to do password resets, then educate employees
The model of using biographical information for password reset is failing. The name of an employee's favorite pet, grandfather's occupation and mother's maiden name are more available than ever before: attackers can mine information from social networking sites as well as public records that are now online. It's an important exercise for employees to see how exposed they are by trying password resets on their corporate and personal accounts. Imagine they have forgotten all passwords to email, their laptop, etc. How do they reset them? What questions get asked? Could someone find those answers online somewhere? If so, it's time to change those questions or answers. If the account simply sends a password reset email then ask: what would it take for someone to reset an email password?
Sign up for CIO Asia eNewsletters.