Forget hacking, a significant proportion of unauthorised access to systems occurs when someone sits down at sombody else's computer. In our increasingly litigious and regulation-bound society, e-mail messages have become one of the primary forms of evidence about employee activity, and "someone else must have sat down at my PC" has become a typical defence to accusations of improper online behaviour.
Risks would be much lower if all users could be relied on to log out or lock their PCs when leaving their desks. A timeout ensures that users are automatically logged out of an application session, or their PCs are locked after a specified period of inactivity. This limits the window of opportunity for someone to misuse someone else's active sessions.
Timeout standards are like password length and complexity - increasing them can provide only a limited benefit before users start complaining about the inconvenience. Companies should manage the introduction of timeouts carefully to minimise end-user dissent and emphasise to the workforce that the timeout protects not only the organisation but also the individual.
The "right" length for a timeout depends on the information being accessed, work patterns, and the physical environment. Inside a corporate office, time limits can be longer. Devices carried into unsecured environments need shorter timeouts. Microsoft Windows lacks the flexibility to vary the timeout value, so it should be set for the most risky environment that the device will be exposed to.
Timeouts should be based on an estimate or assessment of the maximum value of the information assets accessible from that device: the higher the value, the shorter the timeout. Timeout periods for systems connected through virtual private networks should be lower, generally by five minutes.
When sensitive data is accessed in a public space, the monitors are sometimes physically shielded so that only the operator can see the screen. In such situations, a timeout value of less than five minutes may be necessary, although in practice, such a short timeout is inconvenient for a workstation. Any further protection of unattended PCs requires the use of "proximity" tokens.
A user wears the token around their neck, and the token automatically logs out the user or locks the PC when the user gets too far away from it. These tokens are highly appropriate wherever shared PCs are used to access critical applications, such as in hospitals and clinics.
Proximity tokens are convenient and effective in preventing the "someone else used my PC" defence common in call centres and on factory floors. However, these benefits can easily be circumvented if users leave the tokens on their desks.
Smartcards are also ineffective against the unattended PC problem. Users can easily leave their smartcard in the reader when they leave their desk. Short timeouts are appropriate here. There is no point in investing in smartcard technology if it can be easily circumvented.
This problem can be reduced by giving users incentives to take their tokens with them when leaving their desk, which may allow longer, more user-friendly timeouts. This is most easily done by making the token also serve as the identity badge. Smartcards can have multiple functions, serving as the electronic key for physical access control and even operating as a stored value card for the vending machine.
Timeouts are not appropriate for all situations, because they have the potential to disrupt normal operations. Short timeouts can encourage bad behaviour. For example, sharing passwords so that one person's PC can be unlocked after a timeout when that person is out of the area.
In this case, there may be compensating controls. Physical access to that area may be restricted and all PCs are in view of several pairs of eyes, minimising the risk of an individual using another's PC.
Organisations need to assess both their business needs as well as those of their employees to determine the solution that is most appropriate. The technology exists to make a difference. However, only with careful consideration will the examples outlined above prove beneficial.
- Ant Allan is a research vice-president at Gartner