Network Security: How Employees and IT Can Keep Laptops Safe
Your employees may take the corporate laptop on summer holiday and bring back security risks to your network
by Margaret Dawson
It's a hard truth that your employees present the greatest risk to network security, as they unknowingly or ignorantly download dangerous viruses, go on Web sites that enable keystroke loggers, or open e-mail messages with dangerous spam attachments, among other things. In spite of your efforts to equip all corporate laptops with anti-virus, anti-spyware, and anti-spam, as well as implementing clear security policies, employees often ignore the rules and disable the firewall or other solutions or don't keep their security products or operating system updated, putting your network and your corporate data at risk.
The potential threats against your network brought on by mobile laptops is heating up just like a Florida beach in July. Laptops are frequently taken with employees on vacation or are used as the family computer at home, and employees let their children surf the Web, IM with friends, and check out the latest MySpace sites, typically from unsecured wireless networks.
When that employee returns from vacation, how can you be sure the laptop is safe and up to date and doesn't pose a threat to your network? Unfortunately, most companies don't know and only find out when the network or data is compromised.
A simple answer may be to stop giving employees mobile laptops or implement strict policies about laptop use away from the office -- but we all know that won't work and is not the answer. Today's mobile workforce demands flexibility in both where, when, and how they work, and IT's job is to enable this mobility and allow employees to be productive from anywhere at anytime. That means laptops will continue to move in and out of your network, bringing the increased worker productivity and the increased security risks with them.
Safe mobile computing takes work from both the employees and the IT staff, and there are clear steps both groups can take to ensure that your corporate network is safe.
To help you raise awareness of the security risks with your employees, here's a simple and clear Memorandum for all employees to read that IT staff can post and e-mail.
ATTENTION ALL EMPLOYEES WITH LAPTOPS
1. Know our security policies and adhere to them
- If you have never seen the rules required around security of your laptop, ask someone in IT or HR for a copy.
- Make sure your laptop complies with those polices. If you don't know how to check that, then ask your friendly IT staff to run a check for you. (We actually love stupid IT questions!)
2. Activate Internet controls
- Every Web browser includes options to increase the level of security when you are on the Internet and to implement controls on what Web sites users can visit. You can even require a password to be entered any time your children try to visit a Web site that you have not previously approved.
- While it may be a pain to keep entering your password every time you or someone in your family tries to go on a new Web site, it's worth it. Without these controls, your children could easily go on a dangerous Web site or accidentally allow a pop-up advertisement that presents a serious threat to your computer and your personal information.
3. Make sure your firewall and anti-virus solutions are turned on and up to date
- Every Windows and Macintosh computer has a built-in firewall to add protection. Make sure your children don't turn it off (yes, they know how to do that), and if they do, go to the Security Center on your laptop and make sure the firewall feature is "on."
- With anti-malware solutions, we know it takes time to download signature updates, but if you don't, you can bet it will be the one time your system gets attacked by the latest worm or virus.
- If you do not have our standard anti-malware solution installed on your system, please ask IT for it now.
- It's a good idea to have all your home systems running updated anti-malware software.
4. Update your operating system with the latest security updates
- Although attacks against Windows and other operating systems have gone down, the operating system is still a popular attack front.
- Regularly download updates from Microsoft or Apple and that you take the time to complete the update.
5. Don't let children/non-employees use the corporate laptop
- Someone, especially children, left unattended on your corporate laptop can accidentally download a virus, a keystroke logger, and many other forms of malicious software that could literally bring down our entire network.
- While we realize that the company laptop may be the only one that goes on vacation with you this summer, and the children just must IM with their buddies back home every day and check out the latest changes on their friends' MySpace sites, please remember that the laptop is company property.
Your IT Department
If all employees follow these steps, you're off to a good start. However, IT needs to do its part as well. For IT departments, you need to make sure the foundation is set for your employees to follow these steps. For example, make sure you have a clear security policy in place. You can criticize your employees for doing stupid things that impact security, but if your company does not have a security policy, then you are as much to blame. Either draft a new one or dust off your old one and update it, get it approved by the CEO and head of IT, and communicate it broadly to all employees via e-mail and whatever Intranet sites you have.
A good security policy includes many areas of company security, including guidelines on software allowed on corporate laptops and mandatory solutions, such as anti-virus. There should also be clear security policies about Internet use and what Web sites should and should not be visited while on the corporate network or while using the corporate laptop. For great examples of security policies, I recommend visiting an objective third party called the Sans Institute: http://www.sans.org/resources/policies/Policy_Primer.pdf.
Another good idea is to implement a security alias or hotline for employees to contact if they have a security question or crisis. Many companies do this outside the normal help desk operation to make sure that high-risk security situations get top priority.
Beyond policies and employee communication, make sure your infrastructure is secure by taking a layered security approach. Defense in depth is a term we've heard a great deal over the past few years, but the strategy remains sound. IT departments for companies of any size need to view and manage security across the infrastructure, including at the end point (laptops, desktops, and mobile devices), at the server level, and at the network edge.
You also need to look at solutions that bring these pieces together and make sure the different security solutions are working properly and are providing data that you need to make proactive (not reactive) decisions. For example, no matter how many security solutions you deploy and require on employee laptops, if you don't have a way to inspect that end point and ensure that it meets policy and is safe, you are opening your network to huge risk. One way to fix this is by using a network access control solution (sometimes called NAC).
Although Cisco and Microsoft have made NAC a popular term among large enterprises, there are many solutions on the market. Look for one that does not require a large investment or back-end server infrastructure and that allows you to easily manage laptop security enforcement, user identity enforcement, and guest Internet and printer access. There are solutions that combine appliances with online management services that are more cost effective and provide real-time reporting and alerting services.
It only takes one laptop to bring down your network. Whether you know it or not, it is highly probable that you have multiple unhealthy computers connected to your network -- regardless of your existing security infrastructure. I meet regularly with customers, and I have not yet met an organization that didn't find at least one computer on its network that was out of compliance or presented a direct threat to the network. No matter how many security solutions, authentication schemes, and network firewalls a company has in place, if they don't have a way to check devices before they access the network, they run the risk of having a virus or other threat spread across the company.
You may not be able to control everything your employees do, but you can start to take control back of their mobile computing practices and to implement better policies and solutions that make sure all devices accessing the network are healthy and secure. Together, these steps will keep your network safer.
- - -
Margaret Dawson is vice president of marketing and product management for Napera Networks. She has worked in the IT industry for nearly 20 years, including several years in the network security, remote access, and network access control markets. You can reach the author at Margaret.firstname.lastname@example.org.