I want to share a few situations in which I bumped into a small business that exposed itself to a possible information theft attack and IT Assets being stolen.
Scenario 1: A few months ago I went into a Computer Shop with a peer who is also in the IT Security Field and we noticed that a USB Drive was connected to a computer facing the public. After interviewing the clerk and asking her what that USB was used for, she explained that it held customer information and administrative documents. I have been to that computer shop in many occasions and know for a fact that it would have been extremely easy to remove the USB drive and walk out the door. I requested the clerk to remove the USB and keep store in a safe place. She replied that it was fine where it was. The clerk was not too happy that I found a flaw or probably did not understand my free advice and changed her attitude into a negative one quickly. I took no further action, left the location and decided not to return again.
Scenario 2: I had to get an X-Ray on my foot and went to a radiologist. I took my laptop for the wait to keep myself up-to date on emails and other tasks that I needed to complete for the project I was about to start. As I sat down in the Radiologist’s waiting room, I realized that their Wi-Fi network was unsecured. I got a bit curious and attempted to log-in into their router which I found was also using the default password for that brand. I spoke to the manager and owner of the office and let her know that her network was open. She replied saying that she did not have the time to set up a password or had the knowledge to do so. I explained possible consequences but she was in such a hurry that she might not have listened to half of what I said. Since I needed my X-rays quickly before I left on my trip, I told her that I could take care of securing her router and she finally agreed and would not charge her. A few minutes later I was waiting to assist her in securing her network and the admin replied that it was going to be too much of a burden for her to walk me over to where the router was located. They were going to have someone come in and do it at another time. I was amazed at her reply and once again my free advice had been rejected.
These two scenarios are good examples regarding how lack of awareness with staff and management can cause future problems that can add to be of extraordinary cost from a monetary and reputational standpoint. In the first scenario this store is directed towards IT oriented customers. How would they feel if they knew their personal information was at an arm’reach of any possible identity thief? In the second scenario I am sure that if I would have kept browsing I would have found critical patient information.
My recommendation is for a small business to conduct a security assessment at a scale that is cost effective and reasonable to mitigate any risks related to information security. The easiest solution for any small business owner is to have a Seven Week Plan to make your business healthier. I read an article with the same title “The Seven-Week Get Healthy Plan for Small Business” by one of my fellow ISSA Members, Greg Playle. I am going to summarize his plan week by week and if you need more detail please feel free to email me or download the complete article written by Greg Playle.
- Week 1: Secure the Physical
- Week 2: The Paperwork Begins
- Week 3: Wireless security
- Week 4: Safety first