Cyber Security Awareness Month - Day 17 - What a boss should and should not have access to
On day 17 of our yearly Cyber Security Awareness Month, we enter into the thorny subject area of your Boss. Today, we'll look at what a boss should, or indeed should not have access to.
Bosses are interesting people. The don't do what you and I do, they do different things, go to different places, mix with different people (most with new shiny technology), and face different day to day challenges.
Lets look at those day to day challenges, or risks as we call them.
You boss most likely holds the 'keys to your business'. They will know what your company is going to do next, they have information that could move your share price such as the date of launch for a new product, move on a new take over. All of that information is valuable. So, we all think about the risks to our bosses, but do they think about the risks they enter every day. Given that most CxO level bosses are not the most tech savvy people in the world how do we educate them to work in an online world where people want that information, and are willing to try and take it?
What do you do when you boss wants to go to a country where not just crossing a geographical boarder has the potential for having technology confiscated, but how about copied when they are in their hotel room? Spyware loaded onto their laptop they take with them so that e-mails are read, documents copied, and so on.
When you boss comes to you and they want the latest iShiny technology, how do you show the risks associated with them using it?
Do you have a special executive group on your web proxy which gives these high value targets boarder access than the people in the offices they control? If you do, should you?
If you can pass on some tips on how you can educate CxO level executives to the risks they face, and how that impacts the services, and IT resources they should have access to, I'll add them to the bottom of the diary during today, and into next week.
Steve Hall
ISC Handler
Comments
Then I start talking about a story about an old friend who, on a Friday afternoon, deleted a seemingly unimportant temporary DFS share, but which cased a cascade fault, killing access for millions of customers to dozens of websites, until the entire team, working around the clock with IBM's best, got them back.
Oh, and the story of how changing a number, from 8 to 9, caused another cascade fault, resulting in loss of internet for millions of customers for hours, and hundreds of thousands for days.
Then "It's just a formality, but can you email me authorisation to breach company policy and give untrained staff access to the system? Thanks."
...then tends to work a treat. :-)
Dom De Vitto
Oct 17th 2010
1 decade ago
My version of that story always starts with, "Once, when i was on holiday....."
Thanks for the smile, and the comment.
Steve
Stephen
Oct 17th 2010
1 decade ago
My laptop runs Linux, and boots using 2-factor identification: a usb boot key, and a long secret passphrase. If I do any web browsing other than to my own servers, or a small group of selected and trusted servers, it is done from within the wlled garden of a disposable virtual machine with minimal softwatre loaded into it.
When at the home office, backups are made every night automatically as long as my laptop is connected to the corporate network. The backup raid array is aes265 encrypted, and regularly a drive is pulled and taked to an off-site secure site where it is stored.
When I am on the road, backups are made to a removable drive, also using aes256 encryption.
What else should I be doing?
Moriah
Oct 17th 2010
1 decade ago
The best way to deal with this situation is simply to advise. Advise the boss in question that whilst their actions are their's to choose, there may be consequences due to a number of risks. Advise the boss what the risks are, what the likelihood is of those risks coming to fruition is, and what the impact might be on the organisation. But always reinforce that you understand it is their decision as to whether they think the risk is worth it or not.
If there are things you can suggest, very minor behavioral changes or technology solutions, that can allow them to do what they want and address the risks, then make those suggestions. But again recognize and accept that it is up to the boss to decide, not you.
If you try and present yourself as knowing what is best for the company, even if you do, you will get ignored. Bosses are used to being in charge and do not respond well to relative juniors (relative to their company position) telling them what to do.
Ben
Oct 18th 2010
1 decade ago
BillR
Oct 18th 2010
1 decade ago
Pascal
Oct 18th 2010
1 decade ago
Chrgeo
Oct 18th 2010
1 decade ago