Back to school, part 2: no whaling allowed!

How can CSOs advise their chief executives? Advise them that opening things they’re not expecting (and not from sources they have not verified), is a good baseline, and it might be helpful to reinforce these three watchwords:

• Validation
• Encryption
• Authentication

3. Safe web browsing with corporate devices

Security officers might ask, “What can our executive do to operate more safely than not while trying to work/live in a digital environment?” In his article, “10 Ways to Secure Browsing,” CSO contributor Joseph Guarino writes about IE, for example, “offers nearly 1,500 configurable settings, so you would be hard-pressed to say it’s not flexible enough to meet your security requirements.”

The Web is a constantly moving source of fluctuations, temperaments and exploits. Nonetheless it has become the backbone through which most of the modern world communicates everything from recipes to national defense. In To safely browse the Web, here are a couple of steps to consider:

• Use Strong Passwords:  Bad guys still like the easiest path to gain access into a target. Passwords may be a headache to remember, but if constructed properly, they’re an even greater headache to crack. Use passphrases, rather than simple key strings.
• Biotechnology:  Many mobile devices now offer some sort of biometric component, such as a thumb print or eye scan, which adds a layer of protection from the Wild Wild Web.
• Incorporate a VPN:  VPNs provide an encrypted connection for Internet access through a “Secure Tunnel.” Executives should consider mandating the use of only encrypted access for all mobile users with corporate-owned mobile devices, through which the Web may be “more safely” accessed.
• Partitioning and Device Scrubbing:  Many executives consider the option of partitioning their mobile devices to protect part of their more sensitive data from externally facing controls. Part of segregating a device often also includes the ability for a host site to have access to “Scrub” all externally facing histories and related files, keeping corporate mobile devices under strict access control.
• “Know Thyself”:  Just because you receive a text message doesn’t mean you know where it originated, and you certainly don’t have to respond to it. A good rule of thumb is, “If I don’t know you, I don’t WANT to Know YOU!”

4. Securely working from home

It’s one thing to grab a laptop and head to the woods for the weekend, but it’s a whole ‘nother thing to head home, open up that laptop and start accessing secure files. What if little Suzy wants to do a quick Instagram with her BFF, or Junior wants to jump onto a gaming site with Dad’s new, powerful device?

Computerworld’s Mary Brundel writes, “Home workers should be granted access to view and change data only from a distance.”

While similar to other issues mentioned here, the need for executives to be extra vigilant where threat exposure is concerned, is magnified when next-of-kin become at-risk accomplices to or victims of malicious activities. A couple of precautionary considerations before heading from the boardroom to the living room might include:

• Keep sensitive and proprietary data encrypted.
• Consider using a back-up or “portable” mobile device for off-site, after-hours and for personal use, and limit what can be accessed.
• Make sure your organization has a check-in / check-out procedure, for both equipment as well as for file management.
• Be sure the “Scrubbing” policy includes a timely response window, to keep data latency and availability to a minimum while “in the wild.”
• Is everything backed up and stored in a secure location?

5. Secure destruction of sensitive information

“Sensitive Information” is considered any data which, if compromised, would have an adverse impact on the owner connected to the object. On a regular basis, sensitive data becomes outdated and may require revisions or complete replacement. Depending on which business sector an organization finds itself, however, could determine how outdated sensitive information is archived or destroyed.

Here are a few basic considerations executives should take when considering the destruction of sensitive data:

• The organization may have a GRC-directed mandate or requirement (i.e., SOX, HIPAA, etc.), for archiving and maintaining archived data for a period of time?
• There should be a clearly defined and authorized procedure for handling, retrieving, archiving and destroying sensitive information.
• An audit procedure for tracking data handling throughout its lifecycle should be clearly defined, managed and routinely reviewed.
• The destruction of sensitive data should be managed by a designated group and whose procedures should be verified by a separate group. This two-party model ensures compliance with policy while maintaining propriety over sensitive assets.

It’s a lot to look at, but these safeguards could make the difference in keeping the boss in safer waters and out of somebody’s frying pan. The watchword of the day: never assume the Corner Office full understands what it means to be “secure,” and never expect senior leadership to know the best methods to apply to keep themselves safe. That’s where we come in.