The good news: you don’t have to be the CIO to know if your office is cybersecure.
The bad news: you won’t be able to ignore the lack of security once you’ve taken a hard look.
But why would anyone want to make a sophisticated effort to hack your small organization? One answer could be that the hackers are seeking to use your company to appear legitimate so they can target a more hardened company. Cybersecurity is for everyone. No exceptions.
Take a moment to examine your office from the lens of cybersecurity. Even as a “regular” user and not a techie, you can see the insecurity indications. One or two isolated issues can be explained away, but if you recognize multiple signs, there could be a serious security problem within your organization that needs to be addressed.
Keep in mind that one of the easiest ways to “hack” a computer is the old-fashioned way: physically. Aaron Schwarz, one of the great technical minds of a generation as well as a tragic story, breached MIT’s servers by gaining access to a basement wiring room. So, this is a good place to start.
To see if your office is cyber-insecure, one of the first things you can check is if the server room is unlocked. If you are not a member of the IT staff but can still access the room with your key card or if the door is simply unlocked, this is a red flag.
Next, consider your office’s password security. Does the password for your network change constantly? If so, do users remember passwords by simply writing them down? Are there sticky notes in cubicle overheads and notes on the bottom of keyboards with passwords?
Many people believe that changing passwords regularly increases security. However, that is not always the case. If employees are changing passwords so frequently they cannot easily recall their new passwords and they are not using password managers, this could pose a security threat. One recent example was a post-it note with the password to the missile alert system hiding in a publicly posted photo at the Hawaii Emergency Management Agency in January.
Next, think about your company’s Wi-Fi network. Can you access any site on the web without restriction? If you can, others can too. Employees can potentially visit websites that have a Trojan horse or other malware without knowing it. For example, someone using their company laptop to watch a movie can potentially expose the network to malware.
Here are some additional questions to ask yourself as you are evaluating your organization’s security:
- What is your company’s policy on USB drives? If you don’t know this answer, then perhaps you need to create a policy or better communicate what the existing policy is.
- Does your company/agency have a cyber policy? Has there been training on it? Did the training put you to sleep? Without clear and understandable guidelines, policies, procedures, and a quality training program to support them, an organization’s risk skyrockets.
- Can you identify the individual or group responsible for the cybersecurity posture of your organization? Do you receive regular communication from this person/group?
- Along the same lines, has your CEO ever commented on cybersecurity in any way? Does it appear to be a concern to the top-level execs?
- Do employees always lock their screens before leaving their computers? Also, can you see information that you are not privy to on other worker’s screens by standing behind/near the user?
If your company doesn’t score well on the outward signs, chances are that they are failing on the inward stuff too, like encrypting data at rest, network segregation, and access control. As Sherlock Holmes said, “the little things are infinitely the most important.”
Being cybersecure as an organization starts at the top with support from company leaders and well-communicated policies so employees can understand best practices and expectations.
Ralph Russo is the director of the Tulane University School of Professional Advancement, Information Technology. Russo is a nationally recognized cybersecurity expert on technology in homeland security and public safety domains. He has also consulted for multiple federal, state, and local jurisdictions to successfully guide the development, deployment, and adoption of IT systems for security and public safety.