In case the link doesn’t work for you, the author tells a compelling story about how hard it is to get people to lock their computers when they step away from their desks. I agree – it’s miserable trying to convince people that this is an important security control that they should spend time on. You can teach, nag, cajole and people still walk away “just for a minute” and leave their computers open to any hacker in the building. (And if you think you have complete control of the physical facility, you’re kidding yourself.)

Rather than more fruitless policing by one or two committed security geeks, release the goons! Let employees prank each other when someone is careless enough to leave a computer unlocked. Drafting and even sending emails from the unsecured computer is an old trick but must be done with caution – it’s supposed to be a prank, not a career-ending fraud. Better are more personal pranks like changing a Browns fan’s wallpaper to a Steelers logo, changing the autocorrect in MS Word or, my new favorite, flipping the monitor. A harmless prank or three might finally get people to lock those screens.

A few thoughts, though. Make sure that the pranks are harmless. You want to apply judicious social pressure in support of the corporate policy. Workplace bullying is nothing to trifle with. Don’t let it go too far. Second, be very sure that tactic is a good fit for the culture of the team. Tight-knit, high-functioning workgroups have more tolerance for social controls than newly formed or distrustful groups. Finally, be very cautious before “pranking” a subordinate. Behavior that’s completely acceptable with a peer could land the manager in a lawsuit.

Hope you enjoy the article as much as I did.

• This sounds obvious but it’s surprising how many people forget it. Lock all your doors and windows before you go. Don’t forget the ones in your garage and basement.
• Have a neighbor collect your newspaper and mail daily. Failing that, have the deliveries stopped. Piles of newspapers are a dead-giveaway that you’re not home.
• Do not stop your snowplow service. A lack of footprints in snow that’s several days old is another giveaway. If you don’t have a service, ask a neighbor to shovel your walk for you.
• Ask a neighbor to check on your home a couple of times while you’re away. Make it obvious that the house is watched.
• Put some timers on a few interior and exterior lights and a radio to make the house appear occupied.
• And most importantly, do not post your travel plans on Twitter or Facebook.

Have a great holiday.

• Don’t leave outgoing mail in an unsecured mailbox – especially checks (which have your bank number and signature on them). Take the extra time to detour to the post office drop box.
• Or even better, pay your bills online through your bank’s secure website.
• Sign up for direct deposit and for electronic deposit of as many incoming checks as you can. Don’t advertise when you’ve got a check coming. An insurance company I know recently had a check forgery case based on a single claim check stolen from the victim’s mailbox.
• Keep your eyes open for changes in patterns. If you haven’t received a bill on time, one possibility is that an ID thief changed the address and is using your account to establish his/her false identity.
• If you’re expecting a package, track it’s progress on the carrier’s website. Make sure that it doesn’t sit unattended any longer than necessary.
• Think about signing up for electronic statements instead of getting them through the mail. It’s cheaper the company (and ultimately for the consumer), it reduces the volume of paper to manage and, as long as your computer security is good, it can be as safe or slightly safer than paper statements.
• If you’re going out of town, put a hold on your mail.
• If you live in a high-crime area, consider a post office box.

• Walk around your office some night and see how many people keep their passwords on sticky notes right on the computer monitor. Keeping track of passwords is hard. But writing them down and leaving them out for every casual visitor or after-hours maintenance person to see is inexcusable.
• While you’re walking around, see how many people left sensitive documents on their desks. Make sure that sensitive documents, especially including anything with an SSN or Drivers License Number on it, is put away at night. If you absolutely can’t implement a clean desk policy in your office, at least flip over the top page in the stack to reduce the temptation to snoop.
  If you allow the use of thumbdrives in your environment, make sure you watch for them, too. Thumbdrives are high risk devices – very easy to steal.
• Make sure people keep their access cards with them at all times. Access cards are your credentials. If they fall into the wrong hands, the bad guy effectively is you. He/she can do anything you can do and you will get the blame. Access cards should be protected as carefully as the data they protect. (And, by the way, neither under your keyboard or in the top right drawer of your desk is a safe place to keep them. Thieves know to look there.)
• Prevent tailgating and make sure your visitors are escorted. Challenge unknown people – politely but directly. Don’t assume that just because a person is in your area that they have a right to be there.
• Remember the fax and the printer. Countless sensitive documents get overlooked and often forgotten or lost when we send them to the printer. Make sure you have internal control and that documents get picked up immediately.

Laptop computers represent one of most significant information risks for any company because of the sheer volume of confidential information that they can hold. Worse, even if you don’t think you’ve ever saved a confidential document onto your computer, the computer will almost certainly have the access credentials needed to access information that is centrally held. One stolen laptop can put all of your data at risk. In those situations, the state-level breach disclosure laws put the burden on the breached company to show that their information was not compromised. When in doubt, the company must disclose. So unless you know positively what information got stolen, you might have to assume that all of it was and notify everyone in your database. Thousands of notifications, leading to lawsuits, wasted time, panicked customers and, most seriously, a loss of trust with your customers.

For most companies, there are two thin lines that protect your customer information.

One is each individual employee’s practice of protecting the computer itself. The vast majority of laptop thefts are crimes of opportunity so don’t give the criminal the opportunity. Have a policy that requires your staff to keep their laptops locked up at night. If leaving the computer at the office, put it in a desk drawer or cabinet – out of sight, out of mind. Don’t assume that the door lock will be sufficient to keep the thieves out. (See this Times article for an example of how easily a professional thief can impersonate his/her way into a supposedly secured office.) If your staff are taking the computer home, make sure they know to either bring it in with them or lock the computer in the trunk if they have to stop on the way. Never let the computers be left exposed.

The second line of defense is encryption. Scrambling your data can provide protection in case the unthinkable happens. That encryption, however, is no stronger than the key used to unlock it. For many companies, the encryption is based on a password (often the same password used to log onto the computer in the morning). Always pick a strong password. Don’t just pick a word, capitalize the first letter and add some numbers at the end. This is a natural tendency for english-speakers and the hackers know it. They optimize their cracking routines to break passwords in this pattern and will crack them in mere minutes. Use whole sentences instead. Whole sentences are easy to remember but far harder to break.

And never, never, never write down your password and leave it with the device you are trying to protect. That would be like buying a $3000 security door for your home, then leaving the key in the lock. You’d never be that careless at home. Don’t let people be careless at work, either.

If you have a laptop, protect it. Even one loss is too many.

Credit report reminder

For those of us on the "trimester plan" for reviewing our credit reports, it’s time to ask for your free copy of your credit report from the next agency.

I assume that your co-workers are basically good people. If they weren’t, you wouldn’t have hired them in the first place. Does that mean you know everything about them? Or would you be like so many on the news commenting after the fact that he/she “seemed like such a nice person”? It would be a wonderful world if we could trust every person we met. Unfortunately, even good people can fall prey to temptation.

You also need to worry about the people you didn’t hire. If you’re like most small offices, the landlord’s cleaning staff, contractors, visitors and many other outsiders have some degree of access to your space. And you generally have few assurances about who they are, what background checks were run or what supervision they receive.

You have to assume that people you can’t know have access to your space when you’re not around. Most of them are good people. Do what you can to help those honest people stay honest.

• Always turn off your computer at night. Don’t just lock the screen. If your IT team has set it up properly, extra protections will kick in when you shut the computer all the way down.
• If you have a laptop, lock up it in a desk drawer at night. Laptops, PDAs and mobile phones are high-theft devices. Don’t make it easy for the thief.
• If you have enough space, put away your paper files at night. Lock them in a desk drawer or filing cabinet. Even if the cabinet doesn’t lock, it will at least be more obvious when an unauthorized person is snooping though the files. It’s harder to tell when someone is snooping through the papers on top of your desk as they are “cleaning” it.
• If you can’t lock the papers up, at least put a cover sheet or blank page on the top of the pile to protect the confidential information from casual oversight.
• Make sure you collect papers off faxes and printers as soon as possible. Don’t leave them exposed to guests and others walking the halls.
• If you see something suspicious, call for help. If you have an internal security team, make sure everyone in the office knows how to contact them both during and after normal business hours. If your office’s immediate action drill is “call the police”, make sure they know how to do that, too.

Before you leave:

1. Clean out your wallet.
• Use traveler’s checks or credit cards for payment. Leave your checkbook at home.
• Leave your debit card(s) at home. Under federal law, your liability is limited if your credit card is misused. If your debit card is stolen, you could lose all the money in your checking account.
• Take an ATM card that does not have debit card privileges. Your bank should be able to issue you an "ATM only" card.
• Never carry your Social Security card in your wallet.
• Leave any unneeded credit cards and any other unnecessary documents at home.
2. Photocopy your wallet and keep the copy in a safe place. If your wallet is stolen, the copies will tell you who to call to get your cards canceled. Note: If you will be gone for a long time, consider leaving a copy with someone you trust who can help you cancel the cards while you’re still on the road.
3. Stop your newspaper delivery and have the Post Office hold your mail (or ask a trusted neighbor to collect them for you). The bills and account statements in your unlocked mailbox are a goldmine for an identity thief. And the packages and newspapers piling up on your front step are a sure sign to a burglar that you are away.

While on your vacation:

• Don’t leave your wallet, passport or any identifying documents in your hotel room unattended. Use the hotel safe if it’s available.
• Keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.
• Guard your credit card receipts and rental car agreements, especially if they contain your full credit card number or driver’s license number.
• Use ATMs at banks or credit unions and which are in well-lit areas.
• If you are taking your laptop with you, be very careful when using it for on-line banking and other password-protected services, especially if you are connecting to a wireless hotspot.
• Be equally cautious of cyber-cafes and other public-access internet facilities. Anyone could have left a keystroke logger on the machine in order to capture your ID and password.

By the way, there will be no InfoSec Tip next week. Have a safe holiday.

The wording of the question is important. "Can I help you?" gives the person the opportunity to say "no." The word "how" quietly forces the person to state a purpose. If he/she is unable to answer this question easily, that is a tip-off that the person could be up to no good. Be polite and personable but don’t let strangers go unchallenged.

Make sure you teach your team what to do when someone strikes them as suspicious. If the person claims to have forgotten an ID badge, have him/her escorted to your main entrance to be properly signed in. Likewise, if the person claims to be law enforcement, escort him/her to your Security Office so that credentials can be verified. Remember, badges can be faked.

1. Never, never, never carry your Social Security card in your wallet.
2. Photocopy your wallet about once a year. Lay the contents out on a copier (front and back) so you have a record of all the cards and contact numbers.
3. Only carry the cards that you use on a regular basis. Leave the rest in a safe place at home. If you have bills set up to auto-pay by credit card, use a card that you leave home. Otherwise, you’ll have to change all those accounts when the card is cancelled.
4. When your wallet is lost or stolen, immediately call the financial institutions and start canceling the cards that were lost.
5. Call the three credit reporting agencies and put a fraud alert on your account. Consider putting a credit freeze on your account. (A fraud alert is free but must be renewed in 90 days. A credit freeze will typically cost $10 and requires extra effort to have lifted when you want to apply for credit legitimately but it provides somewhat better protection.)
6. If you haven’t reviewed your credit report lately, do it now. Follow the instructions at annualcreditreport.com.

Police advise men to keep the wallet in their front trouser pocket, not a jacket pocket and definitely not a rear pocket. Police advise women to keep their purse with them and to carry it on their strong-hand side (if you’re right-handed, carry it on your right shoulder).

If you’re traveling, keep your identity document (passport or drivers license) separate from your wallet. Carry a photocopy of the first two pages of your passport in a third pocket whenever traveling abroad.

The tailgaters we need to worry about at work are the neatly-dressed people who quietly walk up behind us and expect us to politely hold the door even though they have no right to be in our building. Tailgating is the art of acting like you belong and of using social pressure to convince people to ignore their own rules and policies. Tailgaters practice coming up behind you with just the right balance of professionalism and distractedness so that you believe that they belong. Good tailgaters come prepared with a plausible excuse why you should "be a nice guy" and break the rules – “It’s raining “, “My arms are full”, “I forgot it in my desk last night”, etc. There is no way to identify a scammer just by looking at him or her.

Tailgaters represent a real risk for your organization. Once in the building, they can steal information, compromise systems or worse. If the intruder is a disgruntled claimant, a former employee or a significant other, they could be attempting to get into the building for violent reasons.

Whatever your entry control procedures are, you should have a strict “no tailgating” policy. Do not let staff hold the door for anyone until you are sure that they are authorized to be in the area. If your building uses security badges and someone tries to follow you through a controlled door, demand to see their badge. If they are a visitor, politely escort them to your main entrance and get them properly signed in. (You do have a Visitor’s Log, of course. If not, here’s a template you can use. Visitor Logs are surprisingly effective at deflecting these criminals to other, easier targets.)

You also need to know what your office’s emergency reaction plan is before someone forces their way in. Know who to call and how to report the breach. Don’t put yourself in harm’s way but do not allow the intruder to wander your halls unchallenged.