The old adage of “you are only as strong as your weakest link” is as true in 2013 as it has ever been previously. IT departments can put into place policies, procedures and security features but the user still remains the weakest point in the entire setup. I have a shirt from Thinkgeek.com which on the front it says “Social Engineering Specialist” and the back says “Because there is no patch for human stupidity”.
The user is the weakest point in the entire system because of social engineering. Social engineering is simply tricking people into willing giving up information. An e-mail with a link saying your IT department needs to verify your password…social engineering. A telephone call posing as IT…social engineering. If you want to read more about Social Engineering check this Wikipedia Article out.
I am currently reading Remote: Office Not Required by Jason Fried and David Heinemeier Hansson the founder of 37signals (Basecamp, Highrise, Campfire). In the book the authors are discussing working remotely and how various companies accomplish this task. While the book has many interesting passages which have led to highlighting, it was one in particular that stood out to me.
37signals has a security checklist that all employees must follow. This check list was included in the book. It was all good information and even forced me to take a step back, examine and make changes to my own security practices.
All computers must use hard drive encryption. I am running Mac OS X and have opted for File Vault. On the Windows side you could examine Bit Locker.
Disable automatic login and require password when waking from sleep. Also set the computer to automatic lock after 10 inactive minutes.
Turn on encryption for all sites you visit (HTTPS or SSL)
Make sure smartphones and tablets use lock codes and can be wiped remotely.
Unique generated long form password for each site and password managing software.
Turn on two-factor authentication.
All of this is great information and adds another step to break should you loose or have your device or login information stolen. There are some files that I work with that require additional security and they are stored in an encrypted file that requires a password. In addition to the security I have in place, I make use of our file server at work so there is always a backup of the file. At home I have a backup solution in place that backs up my devices there. The next stage I want to work on is off site backup incase of theft or fire at home.
