Computer security at work is a touchy subject. In a consulting firm, where everyone is on the same team, why bother to lock your computer. It's a pain having to lock it every time you get up and unlock it when you return. I'm not talking about the physical locks that chain your laptop to a desk, though those are important, I am talking about locking your screen so that others cannot see your work or mess with your data.
I was probably as lax as the next person until I spent a few month working with a small team in an office on-site at a government agency. While the work wasn't secret, it was sensitive, and everyone in the space quickly learned not to walk away from an unlocked computer. The first time I did I returned to an upside down display, and the lessons escalated. The goal was not to damage work, but to make sure that you locked your computer so that no one else with malicious intent could damage your work. It made sense under the circumstances, we worked in a small but readily accessible space. Anyone walking in could easily read the data on an unattended computer. Even though badges were required, and suite access was restricted, you never really knew when someone might stop by who didn't have "need to know."
I now work on-site as a contractor at a different government agency. There is a very clear agency policy, and a very clear office policy, that all computers must be locked when unattended. The agency is very conscious of the concept of "insider threat" and locking your desktop when you walk away is one way to prevent unnecessary access. The strangers in the suite look innocuous, and downstairs security cleared them, and called up, but are they always where they should be? Are they really escorted at all times?
I have a split personality. I am very lackadaisical about some things, about others I am almost obsessive compulsive. Locking your computer every time you leave the office is one of my obsessions. I share an office with three other people. In fact, one of the desks is shared by multiple users, so it could be as many as six or seven different people during the week. Each time someone new sits at that rotating desk I begin the training process. I start with gentle reminders, "don't forget to lock your computer," and progress to small messages left on the screen or changing screen savers. The next step is sending an email from the users account, usually to another colleague, though sometimes to the user himself. They all know it's me, and they all know I would never willfully harm data or view what they are working on.
Today I think the lesson sank in for my latest "victim." I knew he was meeting in one of the other offices with a colleague, and I sent that colleague an "I quit" email from the victim's account. When he returned he acknowledged that he should have locked his computer. Hopefully he got the message.
So next time you stand up from your computer, press CTRL-ALT-DEL then Enter, or even easier, the Windows key (next to Alt on the right on my keyboard) and L at the same time, and avoid a visit from the nasty computer security fairy!
One Note, lest you think I have a death, or more accurately, unemployment wish, if I happen to be in a Fed office and notice that the computer was left unlocked, I lock it immediately and leave a post it note stating "The computer fairy locked your computer. Please don't forget to lock it when you leave the office."
No comments:
Post a Comment