Security mindsets of very small businesses and residential clients

scottalanmiller

The worst that can happen is that a password is compromised because of not following minimum security practices (by using internal email.). Using SMS would move the risk from "acceptable low security for ease of use" via email to "unacceptably low security that takes more effort" potentially.

And are you sending to locked down end points? My SMS messages display even when my phone is locked.

scottalanmiller

I've written a bit on the evils of SMS. Keep in mind that email is "user" security. SMS is "device" security. You are deciding to send that password to the physical holder of a device rather than to the account of a user. Changes a lot if things fundamentally beyond the security gap.

Carnival Boy

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Carnival Boy

@scottalanmiller said:

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.

Carnival Boy

And just to clarify, I didn't start this thread and have no dog in this fight. I don't fear e-mail. I'm just saying what I do, and am interested to hear what others do, and why.

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.

SMS shares every risk of email and is not a business tool. Users can forward, share, print or whatever the same as email. It is likely linked and forwarded automatically, many SMS are. SMS is personal moreso than email and treated more casually. SMS is linked to a device and not to a person - security implications are very different.

Business email is very secure. SMS is a security level lower than personal email, in nearly all cases. I would not use personal email, not SMS.

Internal email, even without good security, is pretty secure. SMS even with great effort is wide open.

If you want to split things, put the password in email and the account info in SMS. The password is the piece most needing protection.

technobabble

@Carnival-Boy I would say the best thing that comes out of posts like this is opinions and work flow others use.

I am not always right, and as the owner I would rather be a dictator when it comes to security, but as it has been pointed out, I could be hampering businesses from working which could cause the business to no longer need my services. I don't want to become the IT person that my clients always tells me about, the rude, obnoxious and overbearing person who points out all the stupid things people do in the office. I believe I will let my blog do that.

Also if O365 is much more secure, I am going to be pushing it a lot more.

JaredBusch

@technobabble said:

Also if O365 is much more secure, I am going to be pushing it a lot more.

Any exchange server can have opportunistic TLS enabled, just have to do it. If you use Postini/Google Apps, it is not turned on there by default, but is very easy to turn on.

alexntg

@Carnival-Boy said:

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

That's one of the many reasons that it's important for companies to have and enforce policies that prohibit employees from using their personal email for work purposes.

Carnival Boy

How do you enforce something like that?

JaredBusch

@Carnival-Boy said:

How do you enforce something like that?

You make it policy. If they are caught, then you discipline them per the policy.

Carnival Boy

@JaredBusch said:

. If they are caught, then you discipline them per the policy.

That's HR's function, I try not to get involved.

A Former User

just say no to residential clients there are a bagillion folks round here (college town) doing laptop repair for right next to nothing. little yard signs up everywhere. heck just say no to some tiny companies too

JaredBusch

@Carnival-Boy said:

@JaredBusch said:

. If they are caught, then you discipline them per the policy.>

That's HR's function, I try not to get involved.

See you answered your own question then. You let HR enforce it.

Carnival Boy

I was thinking more about controlling rules in Exchange. If HR need to be involved to get something enforced then I may as well forget it.

scottalanmiller

@alexntg said:

@Carnival-Boy said:

@scottalanmiller said:

I've written a bit on the evils of SMS.

Link? I definitely don't understand the risks.

Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

That's one of the many reasons that it's important for companies to have and enforce policies that prohibit employees from using their personal email for work purposes.

Sure. But you'd want similar policies to keep them from using SMS too. If one is okay, the other might as well be.

scottalanmiller

@Carnival-Boy said:

How do you enforce something like that?

HR. It's not for IT to do.

scottalanmiller

@Carnival-Boy said:

I was thinking more about controlling rules in Exchange. If HR need to be involved to get something enforced then I may as well forget it.

Then why the concern? If management and HR think it doesn't matter then it should definitely not concern you. Not IT's place to make those kinds if calls.