by Dave Moore, CISSP
05/28/2023
It is no longer OK to not understand how the Internet works. The lame Internet practices Uncle Harry was able to get away with 20 years ago (weak, 8-character passwords, clicking on anything that pops up, etc.) simply won’t cut it anymore.
In the business world, fixing Uncle Harry begins with an employee risk assessment, the process of gathering and understanding information about an employee to determine if they are worth keeping on.
Is Harry’s behavior good for the company, or bad for the company? Is his behavior risky and dangerous, or responsible and safe? Does his behavior make him an asset or liability? Can his behavior be fixed, and at what cost? Many questions need to be asked, with the answers leading to the ultimate question: should Harry be kept on, or should he be fired?
Most business-oriented cyber-risk questions will have corresponding questions that apply to a home situation, especially in today’s post-pandemic world. Homes have turned into business, education and entertainment hubs, with employees, students, customers and companies all operating under the same roof, sharing the same connections, networks, printers, resources, risks and safety hazards. All of these overlapping and competing interests can cause huge problems if not handled correctly.
Tough questions need to be asked, and answered transparently. This can be difficult, in that people expose themselves to being called out and potentially embarrassed by their ignorance in certain areas. Nobody wants to look “stupid,” so questions, answers and conclusions need to be handled in non-threatening ways that lead to openness, honesty and solid solutions.
This is easier to achieve if people understand that safety and security are everyone’s responsibility, and not just that of a designated security expert, in the same way you can’t expect the guy at the tire store to be responsible for your car’s tires always being aired up.
Cyber-risk assessments often begin with defining what it is you are trying to accomplish. What is it you expect your technology to provide? Sales? A website? Connectivity to your workplace via remote networking and/or Zoom/Skype meetings? Home automation? Security? Education and schoolwork for students? Research? Last, and certainly not least, entertainment? Now is the time to define your mission statement.
Next, it’s time to take inventory. What Internet-connected devices do you have, where are they located, when were they purchased, and how are they serviced and supported? Do you have IT, network and security people on staff, or do you need third-party help? For example, I am a one-man IT department for many small businesses and families. How do you handle service and support?
Be sure to include everything. Use a separate sheet of paper for every device. Desktop computers, laptops, Android and iPad tablets, Chromebooks, Android and Apple phones, gaming consoles, printers, healthcare devices, etc. Include modems, routers, switches, mobile hotspots, security systems, cameras, “smart” TVs, and streaming devices like Roku, Fire TV sticks, and the like.
Don’t forget those ridiculous Internet of Things (IoT) devices like Alexa, Siri, Google Assistant, toys, automobiles, industrial control systems, smart farming tractors and combines, door locks, home theater receivers, sprinkler systems, “smart city” traffic signals and management systems, doorbells, fish ponds, garage door openers, wrist watches, electrical outlets, refrigerators, thermostats, fitness trackers, stoves and light bulbs.
Now that you know what you have, it’s time for the who and why. Who has access to your Internet-connected devices, and why are they allowed access? Are there restrictions, such as time-limits for employees or children? Are certain devices off-limits to certain people? What purposes are served by the devices, and how do they contribute to your overall plan? Who decides these things, and how are those decisions enforced?
Next week, we’ll look at my favorite parts of the overall picture: safety and security awareness, education and training.
Dave Moore, CISSP, has been fixing computers in Oklahoma since 1984. Founder of the non-profit Internet Safety Group Ltd, he also teaches Internet safety community training workshops. He can be reached at 405-919-9901 or www.internetsafetygroup.org