In previous articles, we have talked about the importance of using strong passwords and multi-factor authentication to protect consumer data. These are important steps, but only work when a potential user must login to a physical device or program before accessing consumer data. For this reason, every company should take steps to secure all devices and programs so that the user must login after a period of inactivity. This relatively simple step can help prevent a range of types of unauthorized access.
Desktops and laptops
Companies should set up all desktops and laptops to logoff (or lock) after a period of inactivity. The inactivity period should depend on the relative risk of unauthorized access presented. For example, laptops should logout after a relatively short period of inactivity because they are mobile and at greater risk of theft or loss. Similarly, desktops with access to company or consumer information in areas accessible by the public should logout quickly as well. All computers, whether desktop or laptop, should at least logoff during hours when a business is closed – unless in active use – and require a login when business starts again.
Like laptops, all cell phones should require password entry after a relatively short period of inactivity. This should include any cell phone a company owns as well as any device used by an employee that contains or can access customer data. Many business email servers can be set to require a cell phone to have sufficient access security to access the email server, which is a good method to require compliance with this security measure.
Even if a company secures all devices with passwords, software that allows access to consumer or company data should also require passwords (and sometimes two-factor authentication. They should also logout after inactivity, much like computers and cell phones. The inactivity period for software should be shorter than for the device that is accessing it, as this maximizes the protective value of requiring a logon with the least impact on function.
Automate security measures
Whenever possible, companies should automate these measures for securing devices and software so that individual employees are not setting procedures that are less secure. For company owned devices, companies should set the security procedures themselves and lock the systems to prevent modifications. With employee-owned devices, companies should consider software that requires password access and logoff after inactivity.