Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. This is episode number 28 of the Cash in the Cyber Sheets, and we're continuing on our discussion of the Dirty 13, the top 13 issues that we find when performing audits. It is very appropriate because we are deep, deep in audit season.
Everybody forgets that these need to be done each year and here we are. So since we've been doing a lot of the audits this week, I actually wanted to go into, it seems like low hanging fruit that almost some of these things seem kind of silly, but amazingly they're overlooked a lot. And it's the physical side of the controls, the securing the actual facility.
So I want to get into the different issues that we see there. There's a lot of different things, but there's some recurring issues that we see at a lot of site visits, a lot of site audits, and I don't think it'll take us too long to go through these because there's not a lot of explanation needed in a lot of them. They're, I don't want to say no brainers, but once you remember to do it, you've kind of got it.
So we'll get into that, what that means. Before we do, however, please click that, like click that subscribe, take a second, pause us, get on the phone, call your friends, call everybody, you know, tell them about the show that they need to be here 10 a.m. On Thursdays, it's really one of the best places to be. It's getting better, getting better.
So with all that said, getting into our dirty 13 continuation and what we find a lot with, even with companies that have things really well tied together is they just forget again, that, that low hanging fruit, the physical controls. So let's get through some of those and I'm going to try to do these in a, in a loose order. I should have done them in a, in a complete order here, but I think it depends on also the type of organization that you are.
The type of information that you have is relating to how serious some of these are. So in some places I think they're more of an issue than others. I will say though, I, and I do want to start out with the safety side of things.
Obviously we want to keep the organization secure. We want to keep our data secure, but first and foremost, we've got to keep all of our people, all of our employees, all of our visitors, clients, everybody, got to keep everybody safe. That's, that's paramount.
That's, that's the first thing. And even in all of our policies, in all of our response manuals, our training, that's always the first thing. Make sure you're somewhere safe.
Make sure that other people are safe and then do the reporting and then do all of your procedures, all the things you're supposed to do, but you got to be safe first. And one of the things that you want to make sure at all of your sites is that you have the appropriate exit signs. That's normally always there.
You can't typically get a certificate of occupancy, the CCOA, COO. You can't start using the building. You can't get cleared until you have all the exit signs.
But one thing that is overlooked a lot is the fire extinguishers. And one, a lot of companies don't have enough. They maybe have one that's outside of their unit or, and what we see even more commonly is there are fire extinguishers.
Some, sometimes they're tucked away, make sure people know where they're at, but they're not being maintenance. They're not being reviewed. And these have to be reviewed at least annually.
That's actually fire code. That's actually a pretty serious OSHA violation. And God forbid, there's a fire, somebody gets hurt.
You haven't done this. It really opens you up to a lot of potential exposure. So it's a pretty easy thing to address, but just make sure you've got a good number of fire extinguishers that they're in good places.
The ABCs are the best ones typically for most companies. Make sure your personnel know where they're at. Perhaps go through a brief training of how to use them.
I wouldn't suggest ripping one off the wall and shooting it off, but actually might be pretty fun in a controlled area where you can do that safely. But again, make sure you've got fire extinguishers, make sure your people know where they're at and make sure they're being maintenance. That's the biggest one that we find.
Some of the other issues that we find though. Moving on from safety is visitor management. A lot of companies don't have any real structure to how they manage visitors.
So the easiest way there, just have a visitor's log in your policy, in your procedures, make it to where visitors have to be escorted. And one thing you want to make sure that you have in place is training or a process or something in place to where if you see somebody that's not supposed to be there, that you know how to handle that, that you know what to say. And very much, do not assume that your people, that you know what you're going to do in that situation.
What typically will happen is when there's no training, when there's no guidance, when there's nothing to fall back on, people will overlook it, make excuses to themselves why they don't really need to say anything. That feels a little weird, but I don't want to feel uncomfortable or embarrassed. So I'm not going to say anything.
I think it was Chris Voss that said it. People don't rise to the occasion. They fall to their lowest level of preparedness.
I was really worried that wasn't going to come out right. And this is very prevalent with, in these types of situations in kind of the social engineering situations, make sure your personnel understand what to say to somebody, how to handle it if they see somebody somewhere they shouldn't be, whether that's a visitor or even if that's an employee, but just in a place that they're not supposed to be. So have a plan in place for that.
Something to say. Uh, I don't know. You can even get a little whistle.
I don't know. Whatever works for your organization. Some of the other things are, let's see, I'm trying to do these somewhat in order.
Daisy chaining power strips. We do see this a lot in a lot of companies and I don't know. There's not a lot to say there.
You can't daisy chain power strips. And what that means is plugging a power strip into the wall, then plugging another power strip into that, and then potentially another one. Technically the fire code, you're not even really supposed to use power strips at all.
That's not really reasonable anywhere, but you want to make sure they're not daisy chained. Not only can that be a serious safety issue, fire marshal comes in and does an inspection. You're going to get popped on it.
So just don't do that. Password post-it notes. Those are everywhere.
We, we find them under, uh, under keyboards. We find them on desk. We find them in drawers.
Don't have the passwords written down. Help help your employees with like a password, uh, manager, uh, have policy, uh, password policies in place to where they can use pass phrases. So that way they're not having to do these really complicated, goofy, super complex, uh, passwords, but they can do like a passphrase, a sentence, a little bit easier to remember, but password post-its and also kind of long.
That same area is locking, locking your screen, get in the habit of locking your screens when you walk away from the computer. You hear it a lot in a lot of security training, but in practice, a lot of people forget to do it. And a neat way that you can actually turn that around without becoming that really annoying harpy of a security practitioner, always yelling at everybody is create a game in your organization in different departments, anywhere that something around when, when you find somebody that hasn't locked their computer, or you find a post-it note, you get some points or you get a candy bar, you get something.
And at the end of say a month or the end of three months, whatever that person wins a prize, whoever, whoever found the most that way it's not coming down on everyone, it's creating more of a fun environment to where people start policing each other, but not in a way that makes them feel annoyed or embarrassed or trying to find ways around the security controls for what it's worth that has worked at quite a few different places. So definitely I would suggest trying that out. Other things that we see that are overlooked is the shipping and receiving areas.
Now, sometimes in buildings, there is a very secure shipping and receiving area. Other times packages are just left outside a suite or mail is just dumped right at the front desk. And if there's a lot of foot traffic, somebody could easily just grab that and walk away, same thing with larger purchases.
You want to make sure that if you're getting a new conference room TV, a new 65 inch or new video conferencing system, that you have some way to make sure that it's going to get to you and not get pinched. So again, not a lot to say there, but make sure that you're securing your shipping and receiving areas, and also make sure that those shipping and receiving areas don't allow backdoor access into the entire suite. Sometimes that's a overlooked kind of screen backdoor to a very secure front of the building.
So just keep that in mind. Daisy chaining power strips. We talked about those.
These tie into safety, but making sure that you have your equipment securely placed, making sure you don't have computers, especially printers too close to the edge of a desk or right around a corner of a hallway to where somebody whipping around the corner could run into it or where somebody's shirt or blouse could grab and pull a piece of equipment down. Just try to keep that in mind when you're actually putting equipment down, when you're running your cords, keep that in the back of your head. Is this the safest way that we could do this? And on the topic of the printers and faxes, make sure that those are in areas so that when they print, it's not leaving sensitive information somewhere that anybody could grab it.
And sometimes it's not possible to really put the printer or fax anywhere else. So make sure that you're grabbing the prints right when you print them, or if you can set up a passcode to where you have to pop in your code for it to start printing. So that way it only does it when you're standing right there.
I think the last thing that I'll wrap up with here is making sure you don't have anything on white boards or bulletin boards that is sensitive in nature. It's amazing how even in companies where we don't find any post-it notes with passwords, everybody's locking their computer. We've got a great visitor log.
Everybody walks everybody around, but we've got glass walls, lots of, lots of windows, and right front and center on our whiteboard is our whole M&A strategy or our new financial plan. And it's highly sensitive stuff and it's just there for everybody to see. So make sure you're not leaving sensitive information on a big bulletin board, big whiteboard that everybody can see.
I've seen some companies use pull-downs or shades where it's, it's not the best to erase everything, but just watch out for that and make sure it kind of relates that people can't see into the building, into those sensitive areas. So for what it's worth, these are time and time again, what we're finding when we're doing our site walkthroughs, when we're doing our virtual site audits with companies, and again, I think a lot of these are low hanging fruit. They're, they're easy to tidy up and it offers a lot of extra security and helps prevent you from getting bonked on any type of audits.
So with that, I will go ahead and say, thank you very much for listening. Thank you very much for joining us. Click that subscribe, click that like button, let everybody know about us and I'll see you next week here on Cash in the Cyber Sheets, 10 a.m. Thursday. Can't wait to see you.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.