Skip to main content

Step-by-step checklist for securing authentication in your firm

A must have checklist for security and IT professionals.

Desktop Security

• Shred old phone lists, email lists and other important documents you no longer need

• Some documents will need to be locked away – make sure everyone has a lockable drawer or cabinet

• Basic best practice is to have a clear desk policy

IT Security

• Use screen savers with password controls and short timeouts

• Encourage the use of passphrases rather than passwords

• Encourage the use of password management software to overcome the problem of written passwords

• Encrypt sensitive information on desktops, laptops and PDAs

• Secure mobiles and PDAs - switch off infrared, wireless and Bluetooth when not in use.

• Secure wireless LANs – use the latest security measures and implement VPNs over wireless

• Physically destroy unused hard disks, CDs and other media

User Guidance

• Say what can and cannot be discussed over the telephone

• Say what can and cannot be discussed outside the building

• Say what can and cannot be written in an e-mail

• Don’t use e-mail notification or voicemails when away from the office. It sets up the replacement as a target.

• Ensure everyone knows how to report an incident and to whom

Help Desk

• Permit password resets only with call-back and PIN or cherished information authentication

• Ensure there are clear incident reporting and response procedures

• And clear escalation procedures

• Help desk staff should be encouraged to withhold support when a call does not feel right. In other words “just say no …..”

Training, training, training

• Train all employees - everyone has a role in protecting the organisation and their own jobs

• If someone tries to threaten them or confuse them, it should raise a red flag

• Train new employees as they start

• Give extra security training to security guards, help desk staff, receptionists, telephone operators

• Keep the training up to date and relevant


• Have a security assessment test performed and heed the recommendations

• Test the company's ability to protect its environment, its ability to detect the attack and its ability to react and repel the attack

• Have the first test performed when the company is expecting it

• Do a blind test the second time around

This blog post is an excerpt of an opinion piece called “Identity Theft in The Corporate World” written by Peter Wood from First Base Technologies. You can find more about this security outfit at

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.