Tuesday, October 25, 2016

Lock Before You Leap

   Most organizations have some kind of requirement to protect data.  Sometimes it's regulatory, for example organizations in healthcare or financial or retail need to protect personal data on individuals.  But for sales, manufacturing or other industries like medical devices, their "secret sauce" could be intellectual property like formulas or proprietary processes, or customer lists.

   Whether it's critical data on people, processes or things, what most organizations have in common is that, if they cannot protect this information, the results could be fines or inability to do business and that can directly translate to harm to people and organizations.

   There are so many ways to protect information (or to fail at protecting information), some more complicated than others.

   One very simple way that information can be breached, disclosed or otherwise lost is through unattended, unlocked devices.  For example, someone leaves a laptop logged in, screen unlocked and walks away - someone else can take that laptop and would have access to any data it has.  This is also true for desktop workstations.  In this case the computer won't likely be taken, but if the workstation is unattended and unlocked, anyone else can access the data on that machine leading to potential breaches and regulatory problems.

   Many organizations try to help by using inactivity time-outs.  The idea is simple... after a certain amount of time without any mouse or keyboard activity, either the screen locks or the workstation is logged out.  Either way, a login with a password is required to get back to the data on the computer.

   This may seem like a good idea, a good control, but it is not without problems.  The point of using inactivity as a trigger is the assumption that if the keyboard or mouse aren't being used, then the computer isn't being used.  But that's often not true... someone could be looking at the screen, or even using Dragon or other voice-to-text system.  Or someone could still be at the computer, but on the phone.  In any of these cases, the computer is attended and the data is safe.

   But even worse, if the existence of the timeout is used to justify just walking away from a logged in computer, because the timeout will take care of things, this can lead to problems.  Even a very short timeout used in this way leaves an unattended workstation, and an open path to improper data disclosure.

   The key here, and the key to meeting regulatory compliance, is simply to assure that there is never an unattended, logged in workstation.

   There's only one way to do that... everyone must lock-out or tap out every time you leave you computer.  That's true for desktops, laptops, smartphones or any other device that you log into and can hold data. And it's especially true for any portable device that can be carried around and lost.  It protects data and it protects you.

   So, please... don't leave an unattended logged-in computer, laptop or smartphone.  Lock before you Leap!

No comments:

Post a Comment