Step-by-step checklist for securing authentication in your firm

A must have checklist for security and IT professionals.

Desktop Security

• Shred old phone lists, email lists and other important documents you no longer need

• Some documents will need to be locked away – make sure everyone has a lockable drawer or cabinet

• Basic best practice is to have a clear desk policy

IT Security

• Use screen savers with password controls and short timeouts

• Encourage the use of passphrases rather than passwords

• Encourage the use of password management software to overcome the problem of written passwords

• Encrypt sensitive information on desktops, laptops and PDAs

• Secure mobiles and PDAs - switch off infrared, wireless and Bluetooth when not in use.

• Secure wireless LANs – use the latest security measures and implement VPNs over wireless

• Physically destroy unused hard disks, CDs and other media

User Guidance

• Say what can and cannot be discussed over the telephone

• Say what can and cannot be discussed outside the building

• Say what can and cannot be written in an e-mail

• Don’t use e-mail notification or voicemails when away from the office. It sets up the replacement as a target.

• Ensure everyone knows how to report an incident and to whom

Help Desk

• Permit password resets only with call-back and PIN or cherished information authentication

• Ensure there are clear incident reporting and response procedures

• And clear escalation procedures

• Help desk staff should be encouraged to withhold support when a call does not feel right. In other words “just say no …..”

Training, training, training

• Train all employees - everyone has a role in protecting the organisation and their own jobs

• If someone tries to threaten them or confuse them, it should raise a red flag

• Train new employees as they start

• Give extra security training to security guards, help desk staff, receptionists, telephone operators

• Keep the training up to date and relevant


• Have a security assessment test performed and heed the recommendations

• Test the company's ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack

• Have the first test performed when the company is expecting it

• Do a blind test the second time around

This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at