Cyber
security an important issue for employees
Staysafeonline.org
And Forrest Anderson, cyber security officer
First
of two parts:
What
does Cyber Security mean to ITD employees?
The
policy of the state of Idaho is to ensure the confidentiality, integrity,
and availability of information provided to the State by its citizens.
The state is required to protect information from unauthorized access,
modification, destruction or disclosure, and to ensure the physical
security of information.
The
department has a responsibility and an obligation to ensure all information
generated, acquired by or on behalf of, or held by ITD within its business
and information systems is appropriately secured.
All
ITD employees share a responsibility for the security and integrity
of the department's information systems. There are well established
processes for protecting the information systems and data currently
in use by the department which include:
These
defense strategies have been effective in protecting department systems
and data but can be made less effective through deliberate or misguided
actions of users of the various systems. It is extremely important that
all employees take seriously their responsibilities to safeguard the
systems and data they use.
Here are just a few things employees should consider:
-
Clicking on email attachments or opening emails from unknown senders
– Most people know that this is not a good idea and yet seem
unable to resist the temptation. Department email goes through several
levels of anti-virus scanning, spam and attachment filtering before
reaching the employees mailbox to minimize the risks but they still
exist.
Some people accessing home email from work fail to realize that their
home email may not be subject to the same rigorous scanning we use
and may expose the department to something potentially destructive.
-
Installing unauthorized applications – The department maintains
standardized software applications to support the business of the
Department and to facilitate the productivity of its employees. The
installation of an unauthorized application may cause conflicts, support
problems and downtime. There is also the risk of introducing some
kind of potentially malicious program which could damage or otherwise
compromise important systems or information.
Many so called free programs may contain more than expected or wanted.
Also many of the file sharing applications for the download or sharing
of music and pictures can potentially violate computer use policy
and competes with limited network resources which are needed for legitimate
applications. Instant Messaging may fall into this category if not
used for legitimate purposes and IM attachments may contain potentially
harmful programs.
-
Turning off or attempting to disable automated security tools –
Sometimes there is a temptation to attempt to turn off or circumvent
anti-virus scanning and software patch updates because of the perception
that it interferes with real work. What we need to understand is these
are important parts of working in a networked environment.
These tools not only protect the systems you are working on but also
the systems you may be connecting to as part of the network. If you
are experiencing problems it is important that you work with your
system administrators to resolve the issues instead of attempting
to bypass these tools.
-
Surfing
inappropriate and potentially illegal or dangerous Web site's–
Internet access on department computers and networks is meant to facilitate
the employee’s ability to do their work. Certain Web sites are
blocked because they may violate computer use policies or represent
a potential legal risk to the department. These include categories
such as Adult, Gambling, Racism/Hate, Militancy/Extremism and Games.
Some Web sites are blocked because they represent a potential security
risk for the employee or the department. These sites may contain spyware,
potentially malicious applications such as Trojans, Viruses and Worms
or may try to steal personal information. The department uses internet
monitoring and blocking tools which do a good job but may not be 100%
effective. Employees are expected to be conscientious about their
online activity
-
Exposing or sharing passwords or access tokens – Despite continuous
urging to the contrary, estimates are that 1 in 3 people write down
or save their password somewhere near their computer. A sticky note
stuck to the monitor or even under the keyboard or in a desk drawer
is not a good security practice.
The network account and password is what provides the unique identification
needed to determine access permissions. By compromising that account
and password you may be allowing someone to assume your identity on
the system. Once they gain access to the system it may be possible
to launch other attacks or obtain permissions which may not be appropriate.
Some common exploits of computer systems will begin by trying to get
unsuspecting people to give out or otherwise share their password.
Do not leave computers logged in when unattended and use automated
password protected screen savers where possible.
-
Giving out or posting personally identifiable information –
Use caution and discretion when filling out online surveys and forms
or posting personally identifiable or department information. Try
to determine how the information is to be used and if it will be protected.
Many people receive spam as a result of having innocently given out
their email address on a survey, web page or posting to an online
chat room. Too much information about who you are and what you do
can also be used in identity theft or by others who may be trying
to access or compromise a system by impersonating you. No reputable
company will send you an email requesting personal information such
as account numbers or passwords.
No one from Nigeria wants to give you money. Read those agreements
before you click ‘I accept’. Remember anything posted
to the internet remains forever and may not be a good representation
of yourself or the department.
Summary
The first step in eliminating or protecting something from potential
risk is to understand the threat. Once those threats are understood
a strategy for remediation can be developed. Cyber Security is about
implementing appropriate remediation strategies to protect the employee,
the information and the systems of the department based on the classifications
of these assets.
The more sensitive
or valuable an asset is to the department the more important the processes
are to protect them. Cyber Security is not about making everything so
restrictive that people cannot function or accomplish their jobs. It
must have balance, be cost effective and meaningful and it depends on
everyone’s participation and support.
If you have any
Cyber Security related questions, comments or concerns you can call
me, ITD's Cyber Security Officer at 334-8158 or contact me via e-mail
at forrest.anderson@itd.idaho.gov
. You also can address e-mail to Cybersecurity@itd.idaho.govCybersecurity@itd.idaho.gov