ESET’s Mark James on the issues employees have with business security measures, and how to counter the difficulties without compromising safety.
For those who don’t live and breath security, some of the staff instructions from businesses looking to stay safe can seem like IT departments are deliberately making life difficult. Poor Wi-Fi access, the need for strong passwords, not being able to download and install applications, and a difficulty in working remotely are all common bugbears from staff members at businesses worldwide. I spoke to ESET security specialist Mark James about the problems employees find with business security, and how companies can best counter them.
Poor or limited access to Wi-Fi is a regular grumble for workers, and James has a lot of sympathy for this. “These days we talk about Bring Your Own Device, and the ability to move around the office and not be desk-bound, so I can see how not being able to stay connected when you move would be frustrating.”
For employers looking to expand their Wi-Fi accessibility to deal with the concern, James emphasizes the need for strong encryption. “It needs to be at least WPA2 encryption. Turn WPS off – it’s great for the home, but not for the business environment.”
While James is an advocate of strong but memorable passwords, for Wi-Fi connections he advises more caution: “This particular password is only used now and again – so this should be a complex password. 15-20 characters long, a random set of characters, no two characters together that could make up a word. In theory, once your devices are done, you’re not going to need them again.”
In more general business security terms, the need for complicated passwords is something that people often moan about, even to the point of sidestepping the rules. Something which concerns James: “Top level management often have the attitude of ‘oh no, that doesn’t apply to me’ – that always scares the life out of me. Because in theory they’re the people with the most to lose.”
Still, following the password rules doesn’t have to be hard to be safe, according to James. “Just because you have a pattern, doesn’t mean that pattern can be guessed. When computers bruteforce passwords, they’re unable to look at patterns. You could use the same sort of song title or film description and put unique things in for that website or login.”
On top of this, passwords should always be reviewed, although it is dependent on circumstances. “If you use two factor authentication, you could potentially compromise. If username and password is your only means of protection, you need to change things up at least every 30 days. Because if a hacker is doing his job right, you’re not going to know he’s got the username and password, so the sooner it’s changed the better.”
The need for applications to be screened and installed by IT departments is possibly the easiest one for anyone to understand. Even those with a basic knowledge of business security and malware should be aware that many free applications on the internet carry serious risks. But this needs to be made clear, reckons James: “There needs to be a degree of what can and can’t be installed in the workplace, but the reasoning needs to be explained.”
“It’s not about stopping you from enjoying yourself – you may not be aware of a certain vulnerability with the software, which we might find.”
James believes that a simple explanation of the business security policy and assistance in finding alternatives is the best way to ensure everyone is happy. “If users and staff are up against technical people, that’s when people don’t do things because it’s too much hassle.”
A final common bugbear is a difficulty in working remotely – a clear problem, given we now live in a world of flexible hours and 24 hour business. James agrees that a sensible remote working system is essential: “You go back 5-10 years, you worked from 8 until 5 or 6, and you went home to your family. Now people are dealing with enquiries at 8 or 9 at night, and not being able to do that is an inconvenience.”
The right policies means this doesn’t need to be a difficult scenario, explains James. “It’s not a difficult thing to get up and running. This would be a company laptop, a good secure means of gaining communication, setting up an encrypted VPN, setting up two factor authentication and making sure the security is up to scratch.” Aside from that, as long as workers are educated in what they can and can’t do, and where they can and can’t login from, James is confident that most employers and employees will be happy.
The way James describes it, none of these personal bugbears should be a seriously difficult problem for companies to fix, with the right education and communication in place. Hopefully these annoyances will fade into insignificance over the next few years if businesses take this advice on board.