January 12, 2009, 11:33 AM — Most CSOs and security managers know employees are taking risks everyday that could set their company up for a breach. What some of the biggest offenses? And what can be done to nip that risky behavior in the bud? John Stewart, CSO of Cisco, offers his take on 4 rules people love to break and offers advice on getting them to stop.
Allowing "tailgating" and unsupervised roaming According to a recent Cisco survey, more than one in five German employees allow non-employees to roam around offices unsupervised. The study average was 13 percent. And 18 percent have allowed unknown individuals to tailgate behind employees into corporate facilities. The reason, according to Stewart, is that confronting people who may be gaining access illegally is difficult for people.
"Globally, tailgating creates an interesting human problem," said Stewart. "You are walking into building and you may have to challenge someone to prove that they have the right to be there. This is uncomfortable for a great number of people. In certain cultures it's insulting and unacceptable."
Stewart recommends creating an environment that makes it hard for people to tailgate. Consider signage that even states tailgating is not allowed.
"When there are signs posted it makes it easier for a person to ask for identification. They can say: 'The company makes me do this.' It diffuses some of the tension."
Help your user community say in a very obvious way: I don't want to have to do this but I have to do it, said Stewart.
Adding unauthorized wireless access points At Cisco, the process of dealing with unauthorized wireless access points is known as 'whack-a-mole', according to Stewart. That's because they pop up so frequently
Wireless access points can be needed either by employees looking to test things, or when people who don't normally need access suddenly do.
"You could end up in a meeting with people from all over and they all need Ethernet. However, one or two computers might not have authentication credentials to get on corporate wireless and then someone has the great idea to create a wireless environment with USB stick. Wireless is just that easy."
While most employees are just looking to fill a need, said Stewart, the unauthorized access point is an exposure.
"You've got the corporation at risk," he said. "Tailgating and wireless access points are, in many ways, the exact same problem. You are potentially allowing unauthorized or unexpected users on your network."
Stewart advises having a clear and consistent policy with consequences. Consistency is key.
"If the consequences aren't severe, most people won't take you seriously. Get serious about real rules. I know some companies who will charge the department with the person who put the wireless access point on the network. The bill goes to the manager of the person that did it. You can imagine how that plays out."
Sharing corporate or sensitive information with unauthorized people According to Cisco research, one of four employees (24 percent) admitted verbally sharing sensitive information to non-employees, such as friends, family, or even strangers. When asked why, some of the most common answers included, "I needed to bounce an idea off someone", "I needed to vent", and "I did not see anything wrong with it."
Stewart thinks companies need to educate workers to treat corporate information like it's a personal secret.
"You don't want people know certain things about yourself. If there is something really personal you would rather not have the world know about, that is how company feels, too. You can also equate corporate information with money. Keeping sensitive information secret says 'I'm not going to share my money with you.'"
Putting sensitive data in the wrong place This could mean copying or extracting corporate sensitive information from protected place and putting it on handheld device. It could also mean e-mailing information to an outside, non-corporate e-mail account. Whatever the scenario, it means sensitive information could get in the wrong hands, especially if it's on a portable device that gets lost. Cisco research found 22 percent of employees carry corporate data on portable storage devices outside of the office.
"If you instinctually know that the work environment you have is causing this, figure out a solution," advised Stewart. "If an employee is engaging in this behavior say to them 'Tell me what you've got to do that's forcing you to do this and let us figure out a way to solve it."
