A quick watch of 15 seconds of the Linus Tech Tips video below will illustrate the problem I am going to highlight today.
So here is the question you need to answer:
If you provide your team with work laptops – can they then lend them to their children/partner/friend/next-door neighbour /taxi driver (delete as required) to play games on?
Have you even asked that question?
If yes and you have come up with an answer – did you then create and issue a policy for the device?
My opinion, and that of many other cyber security professionals, is that the best security and privacy policy is business devices you issue to your team are for business use only.
However sometimes that is just not possible when it comes to business owners and board members who have work devices which they also use for personal things. This is the situation I encounter at many smaller organisations where the senior management team also own the business.
Here are some extra rules to help manage this:
- No one but the laptop owner/user can use it.
- Use all the available PIN and biometrics to log in – do not share the PIN.
- Strictly obey “Free up space” when using the company SharePoint or OneDrive.
- Encrypt the laptop drive.
- Have a policy for software that can be installed subsequently.
- Install all the monitoring and security software (or similar) that we use at Octagon Technology.
Writing policies and procedures coupled to staff training that supports them will create real world security and compliance. However for it to work I often have to say “NO” to some of the things these senior people want to do. It can be difficult for “in-house” IT support to say “NO” as they are often related to, or a friend of, the person that needs saying “NO” to. That is why it is useful to outsource this type of work to us at Smart Thinking – we have the experience and can say “NO” – it means they actually end up with a secure compliant system top to bottom.
Clive Catton MSc (Cyber Security) – by-line and other articles