Practicing (Annoying) Better Security At Redgate Software, we've been looking to "level up" our internal security game. While we have had very good security during the 16 years I've been there, there have been a few security issues with our products. The speed at which we address things, as well as the communications with customers, has impressed me. We've had almost no problems with our internal systems, unlike a few other places I've worked. We haven't had the phishing/virus/breach/ransomware issues that I've seen at other employers or heard about from friends. I do think our IT staff is diligent and careful, as well as forward-thinking. It also helps that we've had a relatively small employee staff that worked in physical offices for most of our existence. Recently, we've been on a security push to tighten up the way we deal with systems. As we grow our staff, and as we add more offices, there is a recognition that our attack surface area is growing. We also find more and more people using non-Redgate-owned devices. This year we've had a series of policies rolled out that we are supposed to adhere to in order to ensure strong security, as well as compliance with data privacy rules such as the GDPR. One of these is a bring-your-own-device (BYOD) policy. For years I've used my personal mobile phone for Redgate, with a few settings enabled to allow a remote wipe if I lose it. However, I've also had a personal desktop that I use for daily work in my home office. I've never enabled a lock on this as my wife occasionally uses it to get a picture or other document. Or send me something I forgot to sync in the cloud. Part of our new policy is that I need to enable a lock on my desktop, as there is privileged Redgate information on there. Not much Redgate data, but the machine does connect to our business OneDrive and SharePoint systems. This lock should be a 2-minute timeout, which means that I come back to my desktop after coffee, laundry, or something else to find it locked. After years of always locking my desktop in corporate offices, I somehow find this more annoying. Especially as I've gotten used to rarely typing my 15-character password. I mess this up regularly and have to (more slowly) re-type my password a few times. I know this is better security, and I am always conscious of locking my laptop in our various offices when I go in. However, I find it annoying at home. Especially when I pop in away from work to look up something on the Internet. I keep telling myself this is good security, and good for both Redgate and our customers. I'm still annoyed by the change, but I know it's for the best. Like many who work in organizations, I've been lazy about some security aspects for years, and the change is a disruption. I'm sure some of you feel the same way about the rules and protocols that your employers have implemented. You're not alone in desiring a more convenient workplace, but security is a series of overlapping measures that work together to protect data. Practicing and adhering to good security is a lot like a daily backup. Most of the time it's something never need, but when there's an issue you'll be glad you followed the process that day. Steve Jones - SSC Editor Join the debate, and respond to today's editorial on the forums |