(Lack Of) I.T. Security In The Workplace.

LEE929394

LEE929394

LEE929394

Associate
Joined
26 Jun 2007
Posts
139
Location
London
I look after everyone's general I.T. needs in my company. The company probably has a better security policy for its computers than many others but it always seems to be the end-users are so poorly trained to begin with, it's impossible to give them advice as they are so set in their ways (or more likely don't give a *Fully star out swearing!*)

Things i see that scare the crap out of me.

Super weak passwords. Like password is the password or username is the password!

Sending credit card details / bank details via email.

Never keeping their computers up to date, windows updates, new software versions etc.


The scariest part is many staff show no interest or knowledge in basic security practices but all own computers at home which they use for online shopping. I imagine many of their home machines have no anti-virus or firewalls and no windows passwords set-up at all + weak passwords for other online services.

The normal attitude is 'it will never happen to me' (ID theft, bank details stolen etc)

Surely prevention is better than cure?

I always think you've got to be into computers to have a computer (and be safe)
I imagine most compromised machines on botnets contain users that all want their facebooks & twitters but have no clue and/or don't give a *Fully star out swearing!* how their technology works.

Things can only get worse with so much more malware being written these days?
 
Whenever I ask any customer to login to their machine for me to use, the normal response 9 times our 10 is, "the password's under the keyboard" - where I promptly find a password on a post-it. *facepalm*
 
LEE929394 said:
I look after everyone's general I.T. needs in my company. The company probably has a better security policy for its computers than many others but it always seems to be the end-users are so poorly trained to begin with, it's impossible to give them advice as they are so set in their ways (or more likely don't give a *Fully star out swearing!*)

Things i see that scare the crap out of me.

Super weak passwords. Like password is the password or username is the password!

Sending credit card details / bank details via email.

Never keeping their computers up to date, windows updates, new software versions etc.


The scariest part is many staff show no interest or knowledge in basic security practices but all own computers at home which they use for online shopping. I imagine many of their home machines have no anti-virus or firewalls and no windows passwords set-up at all + weak passwords for other online services.

The normal attitude is 'it will never happen to me' (ID theft, bank details stolen etc)

Surely prevention is better than cure?

I always think you've got to be into computers to have a computer (and be safe)
I imagine most compromised machines on botnets contain users that all want their facebooks & twitters but have no clue and/or don't give a *Fully star out swearing!* how their technology works.

Things can only get worse with so much more malware being written these days?
Click to expand...

You can easily fix two of them problems

1) create a WSUS server, free and very easy to use, to push the updates to the clients

2) create a GPO to force the users to use a more complex password
 
I'd argue it's not the IT security that's the problem it's the users. They'll soon change their tune when something bad happens.

You can enforce all sorts of lockdowns via Group Policy but the really ignorant users still find a way around it. My work (finally) enforced complex passwords, so the users started writing them down on post-it notes. A manager at our place did a sweep round a floor one evening and binned any they found, then complaints started rolling in. Start suspending accounts and they soon learn. :D
 
rodo said:
Whenever I ask any customer to login to their machine for me to use, the normal response 9 times our 10 is, "the password's under the keyboard" - where I promptly find a password on a post-it. *facepalm*
Click to expand...

To be honest, thats more secure* than keeping it on the computer.

*Ignoring other residents/burglaries.
 
MagicBoy said:
My work (finally) enforced complex passwords, so the users started writing them down on post-it notes. A manager at our place did a sweep round a floor one evening and binned any they found, then complaints started rolling in. Start suspending accounts and they soon learn. :D
Click to expand...

I always think writing down complex passwords and keeping them on a post it note under the keyboard is a much better security practice than using weak passwords that users can easily remember.

Being hacked is far more likely than the offices being broken into and passwords being stolen that way. There's always a chance your colleagues will find your passwords and meddle with them, no win situation

Should use keepass or other password encryption software but people never tend to use more than they have to.

Management are often just as bad or worse!
 
Indeed on the GPO, our users have to have a minimum of 6 characters, including at least 1 number, one capital and one special.

I always suggest phrases or words written like the following:

0v3rClocker$
 
LEE929394 said:
I look after everyone's general I.T. needs in my company. The company probably has a better security policy for its computers than many others but it always seems to be the end-users are so poorly trained to begin with, it's impossible to give them advice as they are so set in their ways (or more likely don't give a *Fully star out swearing!*)

Things i see that scare the crap out of me.

Super weak passwords. Like password is the password or username is the password!

Sending credit card details / bank details via email.

Never keeping their computers up to date, windows updates, new software versions etc.


The scariest part is many staff show no interest or knowledge in basic security practices but all own computers at home which they use for online shopping. I imagine many of their home machines have no anti-virus or firewalls and no windows passwords set-up at all + weak passwords for other online services.

The normal attitude is 'it will never happen to me' (ID theft, bank details stolen etc)

Surely prevention is better than cure?

I always think you've got to be into computers to have a computer (and be safe)
I imagine most compromised machines on botnets contain users that all want their facebooks & twitters but have no clue and/or don't give a *Fully star out swearing!* how their technology works.

Things can only get worse with so much more malware being written these days?
Click to expand...

That is the most pressing issue!
 
LEE929394 said:
Being hacked is far more likely than the offices being broken into and passwords being stolen that way. There's always a chance your colleagues will find your passwords and meddle with them, no win situation

<snip>

Management are often just as bad or worse!
Click to expand...

I'm going to guess you work in a small business. Move to a larger organisation with rudimentary building security and you can have people that shouldn't be there wandering around the building un-noticed. Couple a name with someone's post-it note password and some homeworking access and they can potentially hack at will from anywhere and obtain access to personal, private and financial information about tens of thousands of people.

As for management, I can't disagree. Many many years ago I did helpdesk support for one of the largest travel companies in the UK. On my third day I was listening in to calls and training with one of the experienced guys and the first call of the day was the IT director who needed a password reset. The guy got rather prickly when we did the usual ID checks and he subsequently put an official complaint in to the top level of the company I worked for. They backed us up 100% and it caused rather a big stink...
 
I have 4 (maybe more) passwords I have to use at work and all are capital/number/special etc and they enforce a change on all every 3 or 6 months. It is ridulous, how on earth is any normal person supposed to remember them all. This isnt even including the rsa securid thing with its pin number.
 
Moza said:
I have 4 (maybe more) passwords I have to use at work and all are capital/number/special etc and they enforce a change on all every 3 or 6 months. It is ridulous, how on earth is any normal person supposed to remember them all. This isnt even including the rsa securid thing with its pin number.
Click to expand...

i have seven different passwords with 3-month change policies

i can remember them all.

i bet you're one of those people who doesnt know their own phone number...
 
LEE929394 said:
I always think writing down complex passwords and keeping them on a post it note under the keyboard is a much better security practice than using weak passwords that users can easily remember.

Being hacked is far more likely than the offices being broken into and passwords being stolen that way. There's always a chance your colleagues will find your passwords and meddle with them, no win situation
Click to expand...

You say that but when I've done social engineering tests on site security the password under the keyboard or in the top drawer is golden. Not to mention a lot of people will give over their password if asked in the right way.

At the end of the day security has 3 layers:
Mathematics - the encryption and the hashing etc
Technology - the use the mathematics
People - those who use the technology

The maths is sound, the tech works well most of the time but the people are unpredictable. So the technology has to underpin the people just like the maths underpins the technology.

Put a case forward to management about the risks faced and try and get some budget to fix it.
 
Our place has terrible security, everything is stored on one server and on the Macs we can literally access everything, from the disciplinary records to the pay reviews to the profit and loss forecasts to the repayment schedules for new plant.

We have an IT Manager, and I just checked and he's on £45,000 p.a.
 
Saytan said:
i have seven different passwords with 3-month change policies

i can remember them all.

i bet you're one of those people who doesnt know their own phone number...
Click to expand...

I know maybe 4 of my 5 phone numbers...do you get the point yet?

I bet you are one of these people that nobody talks to...
 
LEE929394 said:
Sending credit card details / bank details via email.
Click to expand...

Their own or customers? .... if it's the latter then well you could have an even bigger problem then you think (PCI-DSS).

To be fair to the users they shouldn't have to keep their systems up to date as patch releases should really be enforced centrally and so should password complexity rules.

Do you have a published IT Policy which lists the users responsibilities and indicates what they can and cannot do.
 
You must log in or register to reply here.
Back
Top Bottom