Securing Municipal Walls: Safeguarding Employees & Assets from Data Attacks
In the past year the news has been inundated with stories of hacking attacks on some of the biggest corporations in the United States including LinkedIn, Yahoo, TJX, Sony PlayStation, and even the FBI. The easiest method hackers use to infiltrate an organization is through an employee. It is important to understand that usernames and passwords are an outdated notion akin to protecting a municipality with a wall. It is very typical for a hacker to track an employee and "phish" for information. They distinguish patterns of usernames, variations of passwords and quickly piece together a lovely dossier of the employee, their credentials along with the applications and resources they access. With this information they can dig further turning the exposed hole into a large and expanding crack. Soon the entire organization is exposed - financials, personal information, intellectual property and more.
There are immediate solutions and practices that can help you be pro-active to any hacking attempts. Employee education and best practices plus technical implementations such as multi-factor authentication should be taken into consideration to safeguard the municipal wall.
Ideally, the use of usernames and passwords should be eliminated. But this is the real world. User behaviors are hard to change overnight and established protocols even slower. Until then, here are some basic steps your employees can take to protect themselves and your organization:
- Use different usernames and passwords for all accounts. Make sure your employees do not use passwords that they use for personal activity. They should have a very different and distinct password.
- Never share passwords with anyone.
- Change passwords immediately if compromised.
- Be careful about saving passwords. Some dialog boxes, such as for remote access and other telephone connections, present an option to remember a password. Selecting this option poses a potential security threat.
- Continued education on the dangers of breaches and how to best protect your system from the newest threats is key.
- If passwords must be written down, store it in a secure place and destroy when no longer needed. Hint: a sticky note on your monitor is not a safe place.
- Use technology - applications are available that provide stronger authentication than 'username and password' combinations. Any applications used should meet the security standards of your organization so they do not create possible holes for cyber criminals to exploit.
Multi-Factor Authentication, as its name implies, is the use of two or more different authentication factors to verify identity. Two-factor authentication is the best known implementation and regularly used in our everyday lives with the ATM card and PIN combination. It uses "something you have" (the card) and "something you know" (the PIN). Multi-factor authentication reduces risk by involving separate types of factors that would require an attacker to use different methods of attack, making a breach more difficult.
You may initially believe that you could not implement this measure, citing inconvenience to the employee or cost. This should never stop implementation. Solutions are available today that offer both the security and convenience needed. WWPass (www.wwpass.com) is an example. WWPass offers an affordable and easy to implement application designed specifically to provide organizations with secure authentication and for employees convenience. Other solutions also exist with varying functionality. They are worth investigating to find the best solution to meet your specifications.
As in everything, taking a proactive stance in educating yourself and your employees will be your best defense in keeping employees safe and assets protected. Keep track of what your employees are doing with your systems and any risky behaviors. Be sure to use only up-to-date computers that are fully patched with the latest updates and security protection. Many threats that succeed in compromising computers will use known weaknesses. Keeping computers current will go a long way in securing the municipal wall.
Dan Kaplan is Chief Information Officer for NH Local Government Center. He may be contacted at 800.852.3358 ext. 3322 or by email.