In Brief
The 4 Security Rules Employees Love to Break
Cisco CSO John Stewart gives his take on four security rules employees bend a lot, and what you can do to set them straight
By Joan Goodchild, Senior Editor
January 06, 2009 — CSO —
Most CSOs and security managers know employees are taking risks everyday that could set their company up for a breach. What some of the biggest offenses? And what can be done to nip that risky behavior in the bud? John Stewart, CSO of Cisco, offers his take on 4 rules people love to break and offers advice on getting them to stop .
Allowing "tailgating" and unsupervised roaming
According to a recent Cisco survey, more than one in five German employees allow non-employees to roam around offices unsupervised. The study average was 13 percent. And 18 percent have allowed unknown individuals to tailgate behind employees into corporate facilities. The reason, according to Stewart, is that confronting people who may be gaining access illegally is difficult for people.
"Globally, tailgating creates an interesting human problem," said Stewart. "You are walking into building and you may have to challenge someone to prove that they have the right to be there. This is uncomfortable for a great number of people. In certain cultures it's insulting and unacceptable."
Stewart recommends creating an environment that makes it hard for people to tailgate. Consider signage that even states tailgating is not allowed.
"When there are signs posted it makes it easier for a person to ask for identification. They can say: 'The company makes me do this.' It diffuses some of the tension."
Help your user community say in a very obvious way: I don't want to have to do this but I have to do it, said Stewart.
Adding unauthorized wireless access points
At Cisco, the process of dealing with unauthorized wireless access points is known as 'whack-a-mole', according to Stewart. That's because they pop up so frequently
Wireless access points can be needed either by employees looking to test things, or when people who don't normally need access suddenly do.
"You could end up in a meeting with people from all over and they all need Ethernet. However, one or two computers might not have authentication credentials to get on corporate wireless and then someone has the great idea to create a wireless environment with USB stick. Wireless is just that easy."
While most employees are just looking to fill a need, said Stewart, the unauthorized access point is an exposure.
"You've got the corporation at risk," he said. "Tailgating and wireless access points are, in many ways, the exact same problem. You are potentially allowing unauthorized or unexpected users on your network."
Stewart advises having a clear and consistent policy with consequences. Consistency is key.
security rules
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
