Talking with Telus About Security

Last week, Telus invited me to to an information security talk at Reasearch House, one of North America’s largest data-collection facitilities.

I said yes, without fully understanding what I was walking into; check this out:

Sooo, basically I sit in this comfortable chair, on the good side of one-way-glass, and straight-up get to stare and people-watch, while they talk about my favourite topic?  Yesssss.

These are senior-level Security and IT decision makers, from 6 large Canadian organizations, that I know you know.

Security is a difficult discussion for companies to have publicly, because when you point out your vulnerabilities, it opens the door to potential attacks.

That’s why I’ve blurred out their names and faces (learn how to edit a photo you’re posting online here)

These are the kind of guys who protect the company’s information, and yours.  They’re not a help desk, and every phone call they receive is a, “it’s the end of the world” call. Maybe bring them doughnuts sometimes.

Today’s topic was BYOD – Bring Your Own Device.  

Example: your personal cel phone, (not supplied by your employer),
is allowed to send and receive corporate email,
and connect to the corporate network

AKA: Bring Your Own Disaster

EMPLOYEES

BYOD is a bigger deal than you may realize.  Thousands of devices, that are probably less-than-secure, connecting to the corporate network and WiFi.  That’s now at least 3 more operating systems to accommodate, manage, and secure. Even worse, now confidential company information is walking around in someone’s pocket, going to the bar, you have a lock on your phone, right.

Mobiles are not immune to malware and virus’.  One click on something stupid in social media land, and the virus comes in through your phone, out to the company network, and off it goes spreading bad news.

(One day, you’ll connect through a VPN. We’ll get into VPNs here soon)

EMPLOYERS

Maybe re-visit your employee-exit policies and procedures.  I feel this might be a hole that needs plugging.

Even if you are parting on friendly terms, you still must immediately address the large amount of sensitive information on their personal device(s), and what those devices have access to.

I talked about this in my Autonet.ca article, “Toyota Secure Website Hacked”:

“If he was fired Thursday, and he used his passwords to enter the site at midnight, that would make it seven hours during which his credentials weren’t changed. That is not best practice for employee termination; account access should be immediately disabled upon notification of termination.”

And to terminated employees: don’t be offended when they do this, it’s best. You don’t want the responsibility of owning that information, especially on a mobile device.

If you take only one thing from this post:

Much of your company’s security comes down to you, the end user / employee / weakest link.  I know practicing good security can be annoying and slow things down, but there’s more resting on your shoulders than you may realize.

And thanks for having me Telus, this was so neat.

 

DefCon 19 Interview Series – Johnny Long

Johnny Long is the founder of Hackers for Charity, author, speaker, an early pioneer in the field of Google hacking, one of the world’s best Social Engineers, and likely does more good than you.

Did you know you can hack things using Google searches? Neat eh. We’ll get into that.

Johnny on Twitter

Hackers for Charity

DefCon 19 Interview Series – Dave Kennedy

Dave Kennedy is CEO of TrustedSec, a former CSO for a Fortune 100 company, founder of DerbyCon, author of ‘Metasploit: A Penetration Testers Guide’, creator of ‘The Social Engineer Toolkit’, and excellent hugger.

Dave on Twitter

DerbyCon

 

DefCon 19 Interview Series – Mikko Hypponen

Mikko Hypponen is the CRO of F-Secure, Wired columnist, speaker, and selected as one of the 50 most important people on the web by the PC World magazine.

Mikko on Twitter

Mikko’s site

(sorry again about the camera issue, Mikko!)