Holiday season is like any other time of year for IT security except moreso. Users shop, hunt for bargains, book travel, and check and manipulate their bank accounts a lot more than they do the rest of the year. They’re also often stressed and strapped for cash, so they’re more susceptible to phishing, fake promotions and discounts, and other tricks that grab personal financial information and inject malware into devices and networks. Check out McAfee’s 12 Scams of Christmas blog to learn about some of the more prevalent threats that emerge big time before and during the holiday season
This is not only a threat to the online consumer, but, thanks to the consumerization of IT, to the enterprise as well. Users hunting for bargains and hitting social networks and personal email at the office or home put the network in danger of malware infection and data theft. Their devices can get infected at home and spread that infection across the enterprise the next time they connect. Those who tend to use the same password for everything can give hackers a way in to your company network to steal your company’s intellectual property.
Holiday season, or shortly before, is a good time reassess your corporate policy and security architectures and re-educate your staff about all the dangers out there. Some of the things to consider and reconsider are.
Passwords In addition to the usual password policies, users should know they should not use the same passwords for shopping, Web sites, and social networks that they use for work applications.
Smart Phones If your company embraces multiple smart phone platforms it’s time to reeducate users to their device theft, data theft, and malware hazards. This is particularly true for Google Android, which has seen a huge increase in malware in the past year. Users should know what and from where they’re permitted to download and should be trained to recognize signs of possible hazards, such as software that seeks permissions it doesn’t really need. Corporate data should by encrypted in transit and at rest. And consider implementing or updating a centralized mobile management solution.
Virtualization An effective way to bring in home laptops safely is to separate home and work applications, data, and other items into separate virtual machines so users can do what they want at home without worrying about affecting the work environment.
Endpoint and Gateway Protection Make sure they are installed, managed, and up to date to guard against the latest threats. An effective network access control (NAC) implementation will ensure that anything that connects to your network is up to date with the latest security patches and software.
Acceptable Use Policy and Enforcement Examine your company’s acceptable use policy to make sure it is up to date with the latest uses and threats and make sure you have the systems in place at the gateway and endpoint to enforce it.
Education Educate users to the latest scams, including phony bargain sites, e-cards, friend requests, charity solicitations, delivery service invoices, online job postings, auction sites, Christmas Carol lyrics, banking emails, mobile applications, antivirus scareware, holiday screensavers, etc. Start with the 12 Scams of Christmas and keep them up to date with the new scams that appear monthly or weekly so they know how to look out for them. Users should report any scams they discover and others should be alerted.
The moral: If it sounds too good to be true, it probably is.
For more on this topic, join McAfee on Twitter this Thursday, 12/8 at 11am PT, as the @IntelSec_Biz feed hosts their monthly #SecChat on the topic of enterprise security awareness. Join the stream by following the #SecChat hashtag to share your thoughts and feedback as we discuss trends, challenges and solutions in building a comprehensive security awareness program.