Perhaps it’s a result of the highly publicized Ashley Madison data breach, but there were an awful lot of security-related discussions amongst the Spiceworks community this past month.
Unless you’ve been hiding away at a cottage for the summer with zero access to technology, you’ve no doubt heard about how the dating website — designed for “discreet encounters and extramarital affairs” — was hacked and sensitive data was dumped onto the dark web.
It’s a network admin’s worst nightmare. But if that type of high-profile incident doesn’t shake up the C-level — after all, it won’t happen to us — how can you get more funding for security?
Spicehead Chris Roberts asked for advice on how to best propose a phishing education program to upper management.
Like anything else, you have to demonstrate why they need the service and how it will meet key business objectives, says tech consultant Anthony Sutcliffe. “The best approach would … be to highlight what problems it has caused to businesses like theirs, or to people like them. Indicate what the costs were/damage was and show how it can be prevented.”
Network admin Kirk Kinrade says it’s cheaper to pay for training than to fix your company’s reputation after a data breach. “We are in the middle of a [phishing] training campaign and I have not had a single user complaint about the training yet,” he says. “They all thought it was great knowledge for work and at home.”
Another Spicehead asked how to protect the network from a disgruntled or fired network admin — a timely topic, considering there are some suggestions the Ashley Madison data breach was an inside job.
Aside from changing passwords and cutting off VPN access, “if someone has the proverbial ‘keys to the castle,’ how do you revoke all access and make sure that nothing malicious can happen after the fact?” asks IT manager JollyRoger.
“This is a huge deal that shouldn’t be taken lightly,” says Spicehead Todd Scott. “Keep in mind that like you, he not only has his own god level access but most likely knows the usernames and passwords to most of the upper level management. All of their access will have to be changed as well. Even though your CFO isn’t a domain admin, (at least I hope not) … knowing their credentials could be just as damaging.”
Rayond Payne, a group admin, recommends having a plan in place before locking someone out. “If you’re doing it in a panic when someone is let go, then odds are you’re going to miss something.” Spicehead Joshua Obelenus suggests hiring a third-party security firm to verify the employee’s access has been completely revoked.
Pointing to the recent conviction of a senior techie who was sentenced to 18 months in the U.K. after hacking into hundreds of phones at insurance firm Aviva in an act of revenge against an external security firm, Spicehead Brian Whelton says this is what happens when a company has bad administration. “I cringe when I see stories like this, [completely] avoidable.”
But oftentimes, tightening security makes you less popular with users. IT director Rotem Ben Shitrit shares how he went from cool new IT manager to an unpopular person who ruins all the fun.
From locking USB jacks to overnight reboots for desktops and forced WSUS updates, he says he’s made the IT environment safer — but turned from king of the house to the person who sits by himself at lunch.
“Don’t forget to kill external email access, all video and audio streaming sites, all social media sites, and put a shopping filter on the firewall. Those things made me very popular at work,” responds Ray Austin, a self-described director of turning things off and back on again.
“If I have management buy-in, I don’t care if I ruffle feathers or lose the popularity contest,” says Spicehead Bruce Gibert.
But Spicehead Dan Tapley says there’s a delicate balance between functionality for users and security and efficiency for the system. “Sometimes you have to sacrifice a little to keep users happy, but in the end if you can balance it all you don’t tend to sit alone at lunch.”
Photo credit: Widjaya Ivan