首页 >> 新闻动态 >>网友热议 >> 员工培训以及意识提高方案中常用的8个安全措施


8 SecurityPractices to Use in Your Employee Training and Awareness Program
This might be hard to believe, but it is true: 59% of data breaches arehappening not because of some smart hacker who wants to do harm to yourcompany; those breaches are happening because of your own employees.
As I’ve argued in my article How a change inthinking can stop 59% of security incidents, in order tostop these incidents, you have to focus on two things (other than investing innew technology): set your internal processes and procedures correctly, andtrain your employees and make them aware of the security threats.
In this article I’ll focus on the second issue: which topics to include inyour security training and awareness program. The suggestions below areapplicable regardless of whether your employees are using smart phones orcomputers, of if they’re using their own devices or company equipment.
1) Authentication
Of course, your employees must use complex passwords, and must never tellthese passwords to anyone.
This is because if their computer, laptop, smart phone, or any otherdevice gets stolen, not only will the thief control all the data on this device– he will also be able to penetrate your company network and create havoc withyour company data.
                              The best practice is to use specialsoftware called password managers, because with such software youremployees will need to remember only one complex password, while the passwordmanager will remember all the others. And the good thing is that one and thesame password manager can be used for all the employee’s devices.
Further, for most important services like email and file sharing, youremployees should use even more advanced techniques like 2-factor authentication– such techniques are available for free these days from most of the cloudproviders, and provide a higher level of security even if the passwords getcompromised. These 2-factor authentication systems can work together with aphone (by sending a text message to a legitimate user) or with special USB keys– without them, access to the account would not be allowed.
2) Networkconnection
Unfortunately, wireless connections have proved to be very unsafe. Forexample, your employees should avoid Bluetooth whenever possible, because ithas proved to be the easiest to break.
Public Wi-Fi networks are often not much better – hackers set up suchnetworks in public places, claiming to be legitimate providers, with thepurpose of gaining access to users’ Internet traffic. In this way, they canaccess all the passwords and other sensitive information. Therefore, one shouldbe very careful which network to connect to.
If the home or office Wi-Fi network is used improperly, it can also be thecause of a security breach – again, the passwords at the router must be complexenough, and WPA2 encryption should be set.
The connection to the Internet through the mobile telecom provider (i.e.,3G or 4G) is considered to be the most secure wireless connection, but it isvery often the most expensive. Of course, using a fixed line is more securethan any wireless connection.
There is one method that makes the communication much more secure at a relativelylow cost: using the VPN service. This is a method where all the data that istransmitted is encrypted before it leaves the computer, so this is probably thebest way to keep it safe.
3) Access to thedevice
3) 登陆设备
Your employees should never provide access to their device to anyone else;OK, in some cases they will want to allow their spouses or children to accesstheir computer for, e.g., playing games or shopping. But, in such cases, theyshould open a separate account on their operating system to allow this personto access the computer; such account may not have administrator privilegesbecause then they will be enabled to (unintentionally) install malware.
员工绝对不能让其他人使用他们自己的设备;在一些案例中,他们可能会让自己的配偶或者孩子使用他们的计算机,比如玩游戏或者网购,在这种情况下,他们应该设置单独的账号以供他人使用计算机,并且不要授予管理员权限,这样他们就无法(无意中    )安装恶意软件。
Allowing someone to access the same account on a computer is a hugesecurity risk – this person doesn’t have to do anything malicious – it isenough that they delete a couple of your files by mistake, or run some programthat is not to be touched.
4) Physicalsecurity
4) 物理安全
Mobile devices, including laptops and smart phones, are the ones that arevery often the target of thieves – not only because they want to resell thedevice, but also because they know the data on those devices can be far morevaluable.
So, here are a couple of tips on how to protect a mobile device:
·        Mobile devices should never be left in acar.
·        They should be never left unattended inpublic places like conferences, airports, restrooms, public transport, etc.
·        The devices should be kept with the userthe whole time, or stored in a facility with no public access – e.g., a room oran office that is locked when no one is present.
·        下面是一些如何保护移动设备的提示:
·        移动设备不要落在车上。
·        移动设备应该不要落在无人值守的公共场所如会议室、 机场、 厕所、 公共交通工具等。
·        移动设备应该一直带在身边,或者保存到其他人不能接触的地方-比如:房间或者办公室在无人时应该上锁。
5) Data encryption
5) 数据加密
No matter how careful your employees are, a laptop or a smart phone canstill get stolen. This is why you should ask them to protect all of their data(or at least the most sensitive) with encryption. This is still not easy withsmart phones, but this feature is included in most computer operating systems –it just needs to be turned on.
Since most of the data is now transferred or archived through the cloud,encrypting such data also makes sense. Most cloud providers claim they doencrypt the data in their systems; however, it might be better to encrypt thedata before it reaches the cloud – you never know how much the cloud providercan be trusted.
6) Backup
6) 备份
If data is lost, and everything else fails, backup is usually the lastresort – in many cases, backup has saved not only days, but also months oryears of someone’s work.
So, make sure your employees have the right backup system in place (veryoften a simple cloud service will do), but also that the backup is updatedregularly. One word of caution: having a backup system means that data isstored at least in two places – e.g., on a computer, and in the cloud. Thismeans that keeping the data only in the cloud doesn’t constitute a real backup.
7) Softwareinstallation and patching
7) 软件安装和打补丁
First of all, you should provide a list of allowed software to youremployees, and allow the installation of only that software onto the devicesthat are used for business purposes. Very often, there are some games orutility software that are offered as free downloads on the Internet, only to bediscovered later that they were used by hackers to inject viruses onto your employees’computers with the purpose of extracting information.
Unfortunately, the approved software will also have securityvulnerabilities, allowing malware to be installed on the device – this is whyit is crucial to install all the security patches as soon as they arepublished. The best would be to ask your employees to set the updates to beinstalled automatically.
8) Basic security“hygiene”
8) 基本的安全“保健”
There are some security practices that should be considered as normal, forinstance:
·        Your employees should install anti-virussoftware, and enable its automatic updating.
·        The firewall on the computer should beturned on, and the traffic that is allowed should be chosen very carefully –only the applications that are trusted should be allowed to communicate withthe Internet.
·        Links in emails should be clicked very carefully– some links might take your employees to infected websites, and it is enoughfor a visitor to spend a fraction of a second on such a website for a virus topenetrate the computer.
·        Similarly, surfing the Internet onsuspicious websites should be avoided – as explained, some of the websites aredeveloped with the sole purpose of spreading malware.
·        Transferring data with USB flash drivesshould be avoided – they are the easiest way to infect a computer with a virus,because it is very difficult to stop such a malicious program once the deviceis physically connected to the computer.
·        你的员工应该安装杀毒软件,并开启了自动更新。
·        计算机上的防火墙应该是打开的,而且允许通过的流量应该非常小心—仅受信任的应用程序才被允许同互联网通讯。
·        电子邮件中的链接,在点击时也应当非常小心—有些链接可能会让你的员工访问被感染的网站,在访问者停留在网站的几分之一秒的时间内足够让病毒去渗透他们的计算机。
·        同样地,在访问互联网时应该避开可疑的网站—如上文所解释的,一些网站存在的唯一目的就是传播恶意软件。
·        应该避免使用USB闪存驱动器来传输数据—这是让计算机感染病毒最简单的方法,因为一旦这些设备连接到计算机,就很难去阻止恶意软件运行。
Invest wisely in your security
Of course, eachcompany will have to adapt its training & awareness programs according toits own needs, so you should not take these 8 items as a definitive list. Thebest would be to use a framework like ISO 27001, the leading information security standard, to provide you detailedguidance on how to perform security training & awareness. See also: How to performtraining & awareness for ISO 27001 and ISO 22301.
当然,每个公司必须根据自己的需要来调整它的意识和培训程序,所以你不应该将这八大措施作为最终列表。最好的方法是使用一个框架体系如ISO27001,ISO27001是领先的信息安全标准,可以详细指导如何去实施安全意识和培训。参考:如何为ISO27001和 ISO22301实施意识和培训。DevOps
No matter how you train your employees and how you make them aware ofsecurity, remember the most important thing: simply purchasing the newtechnology won’t increase your level of security; you also have to teach yourpeople how to use that technology properly, and explain to them why this isneeded in the first place. Otherwise, this technology will only become whatbusiness owners fear the most: a wasted investment.
*作者:Dejan Kosutic
*译者:Bill,Terry              审稿:小九






深圳市艾拓先锋企业管理咨询有限公司   Copyright 2017   粤ICP备17056641号

技术支持: 聚成网络科技 | 管理登录
返回顶部 seo seo