Privia Security was chosen as one of Türkiye's fastest growing companies!
Privia Security was chosen as one of Türkiye's fastest growing companies!
Misuse of systems is becoming a major problem for many organisations. A large part of the problem stems from the difficulty of clearly defining misuse. Many actions carried out using company computers — such as using a company computer for personal tasks, visiting prohibited websites, or downloading/installing cracked software — can lead to serious consequences for us.
Of course, beyond situations that could expose an organisation to cyber attacks, grey areas can also exist in user policies for a purely personal use case, such as an employee looking up information about a car during their lunch break.
In general, user policies explain how and how not employees of an organisation may use systems. For a policy to be effective, it must be defined very clearly and quite specifically. Grey areas in between create unmanageable situations for both employees and organisations.
Every organisation must have specific policies that are applied fairly across the organisation. In the previous example, using the general statement “computers and internet access are for business purposes only” is problematic. Suppose you have an employee who takes just a few minutes to check their personal email on a company computer. You decide this is acceptable and choose not to enforce the policy. Later, another employee spends two or three hours surfing the internet each day and you dismiss them for violating company policy. This is also wrong in the eyes of the law and the employee could take legal action against you. Even in situations where you allow employees to use company equipment for personal use during their free time, an employee downloading and running a ransomware virus that arrives in their personal email could unfortunately result in significant financial losses.
Other areas of potential misuse covered by user policies include password sharing, copying data, and employees leaving their sessions open when they go to lunch. All of these issues ultimately have a significant impact on the security of your network and must be clearly stated in your user policies.
Keeping passwords secure is critically important. Appropriate passwords are part of operating system hardening. We know that in the past, a good password was defined as one that is six to eight characters long, contains numbers and special characters, and has no relation to the end user.
For example, when a user uses a password such as “iloveyou” or “monsters”, they should be advised to use a password such as “K%t1fPe987”. Because these do not reflect the person’s personal preferences and cannot be easily guessed. However, defining a password like “iloveyou” is always a major opportunity for cyber attackers.
Topics such as minimum password length, password history and password complexity fall under management policies rather than user policies. These complexity requirements are still good recommendations. However, in today’s world, it is necessary to consider passwords of 12 characters or longer.
User policies determine how the end user should behave.
If a user cannot remember their password and writes it on a Post-it note stuck to their computer monitor, it will not be secure in any way, no matter how long or complex it is. This may seem obvious, but walking into an office and finding a password on a monitor or in the top desk drawer is not at all uncommon. Every visitor or maintenance worker — everyone who passes through the office — can obtain that password.
It is also common to see employees sharing their passwords. For example, an employee going out of town gives their password to a colleague at the next desk, so the colleague can log into their system, check emails, and so on. The problem is that two people now have this password, and the risk increases further if it is shared with a third person. Having a password reach that many people will be of no use from a security standpoint.
Minimum password length, password age, and password history are management policies. System administrators can enforce these requirements. However, if users do not manage their passwords securely, all these technical measures become meaningless. This is precisely why user policies are necessary.
You May Be Interested In These
