May 2015 IT Business Consulting Newsletter

Protect Your Company From Your Staff

By Tom K

I've been seeing a tremendous increase in viral activity in my clients' environments. Some is due to more malware in the wild, but most is due to staff inviting the malware into your company's PCs. This can have extreme consequences on the financial and operational health of your company.

While deploying solid anti-virus technology is imperative, it can't solve this current problem. Senior Mgmt HAS to take a leadership role in modifying the behavior of its staff.

In this month's newsletter I discuss the dangers, the issues, and means to mitigate the dangers through policy and culture, and (of course) throw in a quick security refresher.

Your Staff Can Destroy Your Company

I monitor over 1000 devices for viral activity. As noted above, I've seen a significant increase in the incidences of malware that is getting to the PCs. Fortunately for my clients, the Anti Virus (AV) software we use has stopped the malware from running and infecting the PCs. But how is all this dangerous stuff even getting to the PCs?

I've found the vast majority is being INVITED in by the users... clicking links in FaceBook, in email, and on questionable web sites, downloading software and gadgets, blindly opening attachments in email, and just surfing to the wrong sites. In short, doing things that should not be allowed in a business environment. This activity not only wastes staff time and trashes productivity, it can also devastate your company. Sounds dramatic, but it is real!

I just received an alert that a virus was trying to launch on a client PC (the AV software was preventing the launch). When I checked the PC I found the malware was a key-logger, which records all of the user's keystrokes and sends them to the bad guy. This staffer (and PC) was responsible for the company's on-line banking. If the key-logger hadn't been blocked, the Cyber-Slime in Croatia would now have all the company's banking URLs, IDs, and Passwords... which could have ruined the company. This Malware was invited! The staffer had downloaded an applet to get free coupons, which delivered the malicious payload.

Anti-Virus Should Not Be Your First Line Of Defense

No AV product can catch everything all of the time... and if the user is inviting the malware in, the AV software is more easily compromised. Your first line of defense should be creating policies prohibiting dangerous staff activity. The second line of defense should be educating your staff as to the dangers on the web and your policies that prohibit dangerous activities. The third line should be strictly enforcing those policies.

Senior Mgmt HAS to get involved and create the policies, then ensure that the staff is educated and continues to be educated, and then dictate that these policies are observed and enforced. You need to make it very clear that there is no leeway on these policies, and you need to get full buy-in from your managers and ensure this buy-in rolls down to all of your staff.

Vacation Rental Management companies tend to be rather loose in controlling staff behavior, but in this instance the potential for devastation far outweighs the culture of a place to work with few rules and little consequence. This is one of those cases where you have to be forceful and instill Internet Use policies into the culture of your company.

So, How DO You Protect Your Company From Your Staff?!?

The most important step is to create a company Computer Use and Abuse Policy that clearly spells out what your computers are to be used for, how they are to be used, and what is not allowed. The policy should include strong language advising that non-compliance will result in termination. You need to have your employees read the policy at least annually, and officially sign off that they have read it, understand it, and will comply with it. Then you need to rigorously enforce the policy.

I've covered this in depth in my article "Employee IT Use and Abuse Policy", which not only discusses creating the policy and educating your staff as to what is acceptable and unacceptable, but also includes reducing your company liability from unacceptable employee activity.

If your employees continue to misuse your company computing resources, you can deploy devices to track their activity on the Internet, or to block access to areas within the Internet that are not necessary for your business activities. We prefer to induce compliance through a shift in company culture (via the Policy) as these tools can be expensive, but since the dangers of non-compliance can be severe you may need to consider this secondary solution. I discuss this in my article "If your Employees Continue to Abuse the Internet".

The ongoing education of your staff is a very important factor. I suggest implementing monthly Lunch and Learns for relaxed presentations (see "Train Staff, Increase Team Spirit"), and regularly providing them with educational articles, such as my articles on Phishing: "Don't Be the Big Phish" and "Phishing Got ME!".

The thought of the PC that is used for your company's on-line Banking being hacked should send shivers down your spine! There is a relatively simple, inexpensive solution to this that you all should deploy... set up a dedicated PC used exclusively for Banking and nothing else. I discuss this in detail in my article "Protect Your Company Bank Accounts".

Core Security Best Practices

And, of course, you also need to be sure your company is protected by these core Security Best Practices:

• Centrally managed Corporate Anti Virus Protection
See Protect Your Company from Viruses and Malware with Enterprise Anti Virus Systems

• Centrally managed Windows Updates
See Centrally Manage Microsoft Updates Across Your Enterprise For Free!

• Centrally managed Corporate Spam Protection
See Got Spam? Eradicate Spam and Email Viruses BEFORE they get to Your Environment!

• Secure Passwords – don’t make it easy for the bad guys to get in
See Secure Passwords - You need to get this right!

• On-Site and Off-Site Backups
See Backup the Company Jewels!

• Deploy a Firewall at every point where your networks connect to the Internet

If you are not 100% sure your company is completely enacting these Best Practices, PLEASE call me to discuss having them properly deployed. Missing any one of these could wreak havoc on your company. I've seen it happen, and it costs much, much more to remediate the damage than it does to build out proper protections.

If you have any questions or comments concerning this article, or would like assistance developing Use and Abuse Policies, auditing or building out your core security protections, or improving your company's security position, I’d be happy to discuss this with you at your convenience. Feel free to contact me at, or via my cell 443.310.5110.

Next month in "Business Relations Risk Assessments", I'll discuss evaluating the operational and financial health of your important Business Partners, and the impact a breakdown in their services or their overall demise could have on your operations.