ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Security mindsets of very small businesses and residential clients

    Scheduled Pinned Locked Moved IT Discussion
    45 Posts 8 Posters 7.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      The worst that can happen is that a password is compromised because of not following minimum security practices (by using internal email.). Using SMS would move the risk from "acceptable low security for ease of use" via email to "unacceptably low security that takes more effort" potentially.

      And are you sending to locked down end points? My SMS messages display even when my phone is locked.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller
        last edited by

        I've written a bit on the evils of SMS. Keep in mind that email is "user" security. SMS is "device" security. You are deciding to send that password to the physical holder of a device rather than to the account of a user. Changes a lot if things fundamentally beyond the security gap.

        1 Reply Last reply Reply Quote 0
        • C
          Carnival Boy
          last edited by

          @scottalanmiller said:

          I've written a bit on the evils of SMS.

          Link? I definitely don't understand the risks.

          Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

          scottalanmillerS alexntgA 2 Replies Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @Carnival Boy
            last edited by

            @Carnival-Boy said:

            @scottalanmiller said:

            I've written a bit on the evils of SMS.

            Link? I definitely don't understand the risks.

            Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

            What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

            C 1 Reply Last reply Reply Quote 0
            • C
              Carnival Boy @scottalanmiller
              last edited by

              @scottalanmiller said:

              What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

              Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

              I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

              Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.

              scottalanmillerS 1 Reply Last reply Reply Quote 0
              • C
                Carnival Boy
                last edited by

                And just to clarify, I didn't start this thread and have no dog in this fight. I don't fear e-mail. I'm just saying what I do, and am interested to hear what others do, and why.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @Carnival Boy
                  last edited by

                  @Carnival-Boy said:

                  @scottalanmiller said:

                  What do you fear in email that you don't fear in SMS? SMS has no security either. All of the bad things in email exist in SMS.

                  Off the top of my head, e-mail is easier to spread around, more likely to be read by other users or forwarded to unsecure locations, as I've already mentioned and more likely to be printed out and pinned on a noticeboard.

                  I generally send username and other account details by e-mail and passwords by SMS. One is useless without the other, and the probability of both being hacked is massively lower than the probability of one. That's the two-factor bit.

                  Let me ask you, what do you fear in SMS that you don't fear in e-mail? I certainly don't understand what is "evil" about SMS.

                  SMS shares every risk of email and is not a business tool. Users can forward, share, print or whatever the same as email. It is likely linked and forwarded automatically, many SMS are. SMS is personal moreso than email and treated more casually. SMS is linked to a device and not to a person - security implications are very different.

                  Business email is very secure. SMS is a security level lower than personal email, in nearly all cases. I would not use personal email, not SMS.

                  Internal email, even without good security, is pretty secure. SMS even with great effort is wide open.

                  If you want to split things, put the password in email and the account info in SMS. The password is the piece most needing protection.

                  1 Reply Last reply Reply Quote 0
                  • T
                    technobabble
                    last edited by

                    @Carnival-Boy I would say the best thing that comes out of posts like this is opinions and work flow others use.

                    I am not always right, and as the owner I would rather be a dictator when it comes to security, but as it has been pointed out, I could be hampering businesses from working which could cause the business to no longer need my services. I don't want to become the IT person that my clients always tells me about, the rude, obnoxious and overbearing person who points out all the stupid things people do in the office. I believe I will let my blog do that.

                    Also if O365 is much more secure, I am going to be pushing it a lot more.

                    JaredBuschJ 1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @technobabble
                      last edited by

                      @technobabble said:

                      Also if O365 is much more secure, I am going to be pushing it a lot more.

                      Any exchange server can have opportunistic TLS enabled, just have to do it. If you use Postini/Google Apps, it is not turned on there by default, but is very easy to turn on.

                      1 Reply Last reply Reply Quote 2
                      • alexntgA
                        alexntg @Carnival Boy
                        last edited by

                        @Carnival-Boy said:

                        @scottalanmiller said:

                        I've written a bit on the evils of SMS.

                        Link? I definitely don't understand the risks.

                        Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

                        That's one of the many reasons that it's important for companies to have and enforce policies that prohibit employees from using their personal email for work purposes.

                        scottalanmillerS 1 Reply Last reply Reply Quote 1
                        • C
                          Carnival Boy
                          last edited by

                          How do you enforce something like that?

                          JaredBuschJ scottalanmillerS 2 Replies Last reply Reply Quote 0
                          • JaredBuschJ
                            JaredBusch @Carnival Boy
                            last edited by

                            @Carnival-Boy said:

                            How do you enforce something like that?

                            You make it policy. If they are caught, then you discipline them per the policy.

                            C 1 Reply Last reply Reply Quote 1
                            • C
                              Carnival Boy @JaredBusch
                              last edited by

                              @JaredBusch said:

                              . If they are caught, then you discipline them per the policy.

                              image.jpg

                              That's HR's function, I try not to get involved.

                              JaredBuschJ 1 Reply Last reply Reply Quote 0
                              • ?
                                A Former User
                                last edited by

                                just say no to residential clients 🙂 there are a bagillion folks round here (college town) doing laptop repair for right next to nothing. little yard signs up everywhere. heck just say no to some tiny companies too 🙂

                                1 Reply Last reply Reply Quote 0
                                • JaredBuschJ
                                  JaredBusch @Carnival Boy
                                  last edited by

                                  @Carnival-Boy said:

                                  @JaredBusch said:

                                  . If they are caught, then you discipline them per the policy.>

                                  That's HR's function, I try not to get involved.

                                  See you answered your own question then. You let HR enforce it.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    Carnival Boy
                                    last edited by

                                    I was thinking more about controlling rules in Exchange. If HR need to be involved to get something enforced then I may as well forget it.

                                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @alexntg
                                      last edited by

                                      @alexntg said:

                                      @Carnival-Boy said:

                                      @scottalanmiller said:

                                      I've written a bit on the evils of SMS.

                                      Link? I definitely don't understand the risks.

                                      Another problem I have with using e-mail for confidential communication is the annoying habit of some users to set-up rules to forward all of their work e-mail to their personal e-mail. That's usually their personal Hotmail e-mail that uses the password "password".

                                      That's one of the many reasons that it's important for companies to have and enforce policies that prohibit employees from using their personal email for work purposes.

                                      Sure. But you'd want similar policies to keep them from using SMS too. If one is okay, the other might as well be.

                                      1 Reply Last reply Reply Quote 0
                                      • scottalanmillerS
                                        scottalanmiller @Carnival Boy
                                        last edited by

                                        @Carnival-Boy said:

                                        How do you enforce something like that?

                                        HR. It's not for IT to do.

                                        1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Carnival Boy
                                          last edited by

                                          @Carnival-Boy said:

                                          I was thinking more about controlling rules in Exchange. If HR need to be involved to get something enforced then I may as well forget it.

                                          Then why the concern? If management and HR think it doesn't matter then it should definitely not concern you. Not IT's place to make those kinds if calls.

                                          1 Reply Last reply Reply Quote 0
                                          • 1
                                          • 2
                                          • 3
                                          • 2 / 3
                                          • First post
                                            Last post