With Facebook announcing its instant personalization idea (a concept to let websites include widgets displaying what your Facebook friends think about topics related to the website content), yet another long, hard, look at security in our new web age seems in order.
It's gotten to a point where security is so lax that it almost seems irrelevant, like a subconscious acceptance of open season for hackers and criminals from here on out. And expecting governments and corporations to create some form of "silver bullet" solution that will solve all our security problems is, well, unrealistic.
No, the onus is on us to take this seriously. While many of us are fortunate enough to not have ever been a personal victim of identity theft or computer hacking, it's no excuse to wait until it's too late to get smart.
I discussed security best practices with Robert Sugrue, managing director for Insite Security, a company that helps high-profile individuals (executives and government officials) protect themselves. Here are a few simple takeaways.
· Don't tweet where you are, or any personal information. We like to talk about the security risks with Facebook, but what about Twitter? Anyone can access what you say, no questions asked. (There are ways to lock down your account, but that sort of defeats the purpose of Twitter.) People have gotten in the habit of tweeting where they are, when, and what they're doing. Aside from the obvious risk (someone breaking into your house!), there are a lot of other unintended consequences when suddenly anyone has access to where you've been and who've you been with. So unless you have absolutely nothing to hide, use a little discretion.
· Don't think LinkedIn is safe. Because LinkedIn is a professional networking site, we think it's safer. But this is a big source of security lax—most people post their resumes, which include a home phone number and address. Drop all personally identifiable information from your profile and resume on LinkedIn.
· Avoid web security questions, or only use very complex answers. Most online bank accounts and email accounts require you to have a few security questions, such as "What is your mother's maiden name?" or "Where were you born?" "With the Internet, you can easily do Google research on someone and find out answers to their security questions. I think that's how Sarah Palin got hacked," said Sugrue.
A better policy is to make up your own questions or use answers written in code with special characters.
· Educate users about strong passwords. In the never-ending battle to get users to use strong passwords, IT is losing. If you make the password requirements complex, people put a sticky note on their monitor with the password. So what to do? Educate users on how to make some form of logical password scheme so they can create strong passwords that are memorable.
· Avoid mixing business and personal, where possible. Any system is only as strong as the weakest link, which is often a personal device, home network, company laptop brought home at night, or anything else where an organization's systems are intermingled with the less secure personal world of an individual. Where these interactions can be reduced without significant effects on efficiency or cost, they should. "We've had incidents where an executive will have their home network unsecured, co-mingling corporate information with home information. Anyone can drive down the street, they've never changed the password on their router, and now that person is exposed to propriety corporate information," said Sugrue.
With so many potential security holes, it begs the question: Is it worth trying to educate users about best practices for social networks and personal sites? Or should IT just block access and stop the problem in its tracks? Sugrue thinks you can gain adequate security without disrupting people's sites."I guess it depends on how much time you think you're losing productivity online. That's a different topic. I don't know if a wall of regulation is always the answer. I think you have to educate people and have a baseline policy. Sure, the easiest thing to say is no Facebook and no Twitter."
I'm sure much of this information is just a refresher for you, but please take the time to educate your company's employees. Most people still aren't taking this seriously. Consider working with HR to set up an internal campaign to increase awareness of the dangers of social networks and some best practices to use.
What errors have you seen users making, and what solutions do you recommend?