by Matthew Frank - Inside Sales Representative at MAC Source Communications
I'm no Internet security expert and I don't claim to be one. I can't hack a website, break into a bank account or send someone a malicious code through e-mail that will let me take over someone's computer. But, I have "acquired" people's passwords before. It's fairly simple.
I discovered a while back that it's not that hard to do it in online games. I found out that people used their game account password for the trading room password. I would try out the password on their account and see if I could log into it (it would knock them off the game). About 1 in 20 worked. I got into people's accounts and took their items. I must of repeated this at least a dozen times in a period of 3 months. Then I got bored and stopped playing. That was it. That was my extent of "acquiring" someone's password.
Unfortunately in this day and age, people tend to go much deeper than online games (and guessing people's passwords). Examples like Wikileaks, AT&T, and Citibank all come to mind. These global companies, these multi-billion dollar companies are being hacked and information much more important than a sword or ring from a game are being taken. People's identities are being stolen. There livelihoods are being destroyed and someone is making off with a lot of money.
So, what do you do? Do you restrict your employees from going to any websites that could potentially be harmful? Do you block all outside communication on your network? How about telling employees that they cannot even sign onto a website such as linkedin.com which is made for the workplace. Many companies require their employees to make passwords with letters, #'s, and symbols. I will tell you from personal experience, that the human brain can only remember so many combinations. I have had to reset my password for my direct deposit at least 8 times in a month in a half before finding one I could actually remember.
Yes, I will agree that by locking down websites, blocking people having outside communication on the network, and making employees choose there password by using so many different types of characters that their head explodes is a great way to protect everyone, but it keeps down employee moral, and unhappy employees are less productive. In fact, it's been proven that employees that are given more freedom at work, are happier, more productive, and their caliber of work is much higher.
What should be done is find the right solution. Get a Next Generation Firewall (NGFW) from a company like Palo Alto Networks. It allows you to monitor what your employees are doing, how long they are on a website or application for and tweak the security protocols. In fact, you can actually give someone access to Facebook without them playing games. Let the marketing have access to posts and responses from customers and clients, but block the games. Don't want outside people using your network? Great! Block them, or limit what they use. Isn't technology great? Only a few years ago you could either block or unblock Facebook. It was Black or White. Now there are a number of shades of Gray.
There are companies, like TAG Solutions, that will do something called "Social Engineering". Basically, TAG will try to get into your company and find human error. They may pretend to be an employee, or some worker (mailman, repair man, delivery person, etc...). Then they go in and try to get sensitive information. This shows vulnerability in the company they infiltrate. They will find the holes in a company's security.
They will do security and awareness training, vulnerability management, risk management, penetration tests, and much more. TAG will find the security loopholes in your company (because every company has security holes), and make suggestions to fix them. If you wan't, they will even go so far as to actually patch up the holes rather than just suggesting remedies.
Both of these solutions will help companies prevent identity theft of their customers and employees, help protect against theft of passwords and valuable information, and in the long run, save companies money. Because, in the end, what costs more: patching up holes before they are found or fixing your company's reputation once you are infiltrated? I would go with option one.
If you want more information on these solutions visit our website at www.macsoureinc.com or contact Liz Rizzo at erizzo@macsourceinc.com