Want to know what happens backstage at Redpill Linpro?
Soon we can welcome you in!
Coming soon
Backstage
Sign up for our newsletter

Are you staying safe? Security tips for the workplace

Thu, 03/09/2017 - 13:12 -- Redpill Linpro
Security at the workplace has yet some other dimensions to it, compared to personal security. If something happens at work it’s not only your personal computer that’s starting to act weird, you may have infected your whole office just because you clicked that innocent looking link to that cute kitten web site. That said, workplace information security is not only about using your computer in a safe fashion. It also covers topics like when and where (not) to discuss customer cases; identifying strangers in the office area; shredding confidential documents; and evaluating how to protect information has trusted to you.

Maintain business confidentiality

All employees have a contractual obligation to maintain business confidentiality.

  • Make sure you are aware what kinds of information that should be considered confidential. If you're not sure, consider it confidential and/or consult your team leader.

  • Request training from your team leader if you're not sure how to handle confidential information.

  • Using cloud services for information exchange/storage might be a breach of business confidentiality.

  • Think twice before discussing business or customer information over the phone in a public place. You never know who might find the information useful.

 

Make sure you identify the caller

If some calls you, claiming to be a customer, and asking for something, make sure the person is who (s)he says (s)he is. Before you know it, you have unknowingly given away customer information or even shut down a customer system without proper approval. Checking the caller's number helps, getting a confirmation in writing is even better.

 

Who's lurking in the corridors?

While visitors are often welcome in most offices, people should not be left wandering around on their own. Visiting customers and business partners will appreciate being escorted around, and they will appreciate even more that employees keep strangers from snooping around in the office areas, possibly picking up confidential information.

If you meet someone in the offices that you don't know, or that you suspect shouldn't be there, a working approach is introducing yourself while innocently looking for the other person's access card.

 

Remember your professional confidentiality

A lot of companies are successful because they have an advantage in their area of business. This often means knowing something their competitors don't know or doing something in a better way than their competitors do it.

All employees have a duty of professional confidentiality to not divulge customer information, deliberately or by accident. Information that could be classified as "business confidential" might include what kind of software they're using, who develops it, key personnel, IT strategies, and last but not least upcoming projects and events. You should never discuss customer matters in public places - what you disclose may seem unimportant to you, but it could be useful information for a competitor.

Our customers trust us to keep their information safe. These are four tips for maintaining a professional level of confidentiality:

  • Make sure you know what kind(s) of business/customer related information that's considered confidential. Discuss this with your team and/or the customer if in doubt. If you don't know, don't say anything about it.

  • Different kinds of information will require different procedures and approaches. If you are unsure how to handle certain information items, ask your team leader and/or BAM.

  • If storing data with a cloud provider (other than RL, of course), be conscious of what you're storing there. Given the recent NSA disclosures, cloud storage may very well be equivalent to giving away classified information for free.

  • You never know who might be listening when you're discussing customer or business matters. This applies to regular conversations, e.g. in the lunch room, as well as when talking on the phone.

 

Stay informed on workplace safety

Ever suffered a paper cut and didn't know where to find a band aid? In case of incidents and accidents, everyone in the workplace should know where the first aid kit and other emergency equipment may be found. Also familiarize yourself with fire exits and meeting points. Keep in mind that this also (perhaps particularly) applies to consultants on customers' sites!

 

Install a local firewall - especially if you visit clients

A local firewall is a nice extra layer of protection, particularly useful for those of you bringing your laptop to customers, seminars etc. Even though most recent laptop/desktop distributions come with almost no network services enabled, some of those services are still difficult to restrain. Remember that small web server you installed, just temporarily, to show something to a customer? It's still running :-) A nice safety net is to install a local firewall, and for Debian/Ubuntu based distros the default installation of Uncomplicated FireWall - UFW, makes a nice firewall ruleset out of the box. For Fedora users, Firestarter is a user friendly yet powerful alternative

Don't tell ANYONE your password! You should never, on demand nor voluntarily, give away your password. Not even when someone calls or e-mails you, claiming they're from your helpdesk or mail server provider requesting your password. Proper systems are configured so that no-one but you needs to know your password.

 

Perform risk assessments

It's considered best practice to perform a risk assessment when embarking upon a new project or planning an operational change. Obviously, smaller tasks will require smaller risk assessments. Without encouraging paranoia, always ask yourself questions like "what might happen if..." and "what would the customer say if...". This applies to any work related task like copying customer code to an USB stick, printing a business plan and bringing it home, firmware upgrades etc.

 

Don't launch unowned systems and services

When installing or enabling services, applications or systems ("items"), make sure they're properly taken care of. Every such item should have an owner: Systems should have a system owner, applications should have an application owner, etc. The ownership is usually assigned to teams or roles (team leader, head of department, CTO) so it's easy to transfer ownership if someone leaves the company. Every production system should be assigned to a team, specifying technical contacts. Defining these roles is important, for instance if a system is compromised or otherwise affected and there's an urgent need to get in touch with those using it, including the people losing money if it's gone or malfunctioning. We should all make an effort to avoid orphaned systems and services in our production environments.