A film executive returns to work after being at a tradeshow most of the weekend. On Monday morning, he receives a first-class, signature-required package addressed to himself. The letter is from a production company he met with at the tradeshow – it’s on official letterhead and the names are of the people he met. There’s a USB drive with the production company’s logo on it that supposedly has a few trailers on it for the executive to watch.
If you’re the executive, what do you do?
In real life, this executive plugged the USB drive into his machine. The firmware of the USB stick then automatically installed drivers without him clicking on anything, releasing a virus that led to one of the largest media piracy events in U.S. history. Weeks later, movies that were still in the theatres were now also on the internet, costing the film studio billions of dollars in potential sales.
This is why organizations write and implement acceptable use policies. As with creating strong passwords, knowing how to identify fake email addresses and websites, and how to recognize a phishing email, knowing what devices employees can – and cannot – connect to the network is an important part of security awareness training.
What Is a Corporate Acceptable Use Policy?
A corporate acceptable use policy explains what devices can and cannot access the company network and how they can be used while on the network. While an organization’s IT staff can control internal devices, such as company-issued laptops and mobile phones, they have less control over external devices, like USB drives, personal mobile phones and personal laptops. Writing an acceptable use policy gives the IT department back more of this control and educates employees on how they can best protect the company network.
Acceptable Use Policy Examples
When you begin to write an acceptable use policy, consider which devices are allowed to enter your network and which ones are not. You’ll also want to establish policies about specific devices, such as the following.
As in the example above, USB drives are often used in cyber-attacks. If an employee wants to access files from a USB drive, have them work with the IT department to pretest it on a segmented machine. Then, if it is infected, the virus will be contained and business can continue as usual.
Encourage employees to always throw out free USB drives – especially those received at tradeshows. It’s not worth the risk. If employees want to use USB drives, provide them with safe, company-supplied ones. Having a stash on hand is a good idea because they are cheap, and the peace of mind is worth it alone. This can be a part of your overall security awareness training.
Bring Your Own Device (BYOD)
When a new employee brings their phone, tablet or laptop to work, what is the process? If you don’t have a BYOD policy, you need to start thinking about how you protect your assets.
- What types of devices can employees use on the corporate network?
- Can employees connect their personal devices to the corporate network or Wi-Fi?
- Can guests use the network or Wi-Fi?
- If employees and guests can connect their own devices to the corporate network, are they any restrictions about what they can do on the network?
- Is there a guest network for devices not issued by the company?
The gist of a BYOD policy is that IT should have the ability to quarantine any device regardless of who purchased it. Make sure your employees know that their personal devices can be quarantined and confiscated in case of an incident. They need to sign off on this in their initial onboarding paperwork for legal purposes.
Similar to a BYOD policy, where you are controlling the devices that connect to your network, you’ll also want to provide guidelines around how employees use company-issued devices on other networks.
- Can employees connect company-owned devices to other networks at all?
- What types of networks can company-owned devices be connected to? (For example, a private home network, a private network operated by another company or a public coffee shop network.)
Special Policies and Protocols for Executives and the Finance Department
Remember the example at the beginning of this article? It’s not unique. Finance employees and executives are targeted much more frequently than the other teams on your staff.
Here are a few simple rules and suggestions to employ with your finance and executive teams:
- Acceptable Transfer Platforms and Protocol: Finance and execs should know how your company typically executes a transfer and what the protocol is for doing so. Anything outside of that framework should raise a red flag and be reported to IT.
- Authentication Tokens: Famously used by Google, you can require your execs and finance team to have a hard token that plugs into their machine of choice to complete two-factor authentications. This means that no one can scrape online for passwords to get through both authentication factors on your systems; they will need a physical security key that plugs into the USB port to access critical systems. For as digital as we can get with our security these days, sometimes there’s no substitute for a physical barrier. Compromising these systems would require a coordinated attack in the digital and physical world. It’s not impossible, but remember, threat actors are lazy, and this is not a lazy person’s cyber-attack.
- Executive Triage Training: Executives will have to bear the public relations hit when/if an incident occurs. Is anyone on staff trained on how to deal with this? Do you work with a PR firm, and do you have a plan with them in case of incident?
Pro Tip for Security Awareness Training
To start, create acceptable use and acceptable transfer policies, or refresh the ones you have to reflect the suggestions in this article. Then, share the policies with employees and train them how to put them into action. Here are two activities to reinforce that training.
Acceptable Use Policies
- Scatter some free USB drives around the office with a macro-enabled file that will alert you when one is opened.
- All offenders need to be trained on this point specifically. Think it won’t work? The FBI conducted a similar exercise, leaving 10 USB drives in the parking lot. Half of them were plugged in on FBI machines.
Acceptable Transfer Policies
- Role play a few situations with the staff.
- Each quarter, audit with finance managers and executive assistants, looking through transfer requests to see if the protocol was acted on.
Put these plans into action with our free guide, 7 Security Hacks to Use Now.
Check out the whole series on security awareness training:
- Passwords Are a Pain – But They Are Critical to IT Security
- How to Detect Phishing Attacks
- What Does a Phishing Email Look Like?
- Incident Response Plans and War Gaming
- Network Segmentation