Takeaway:
Regardless of an organization's size, they all face the same security challenges keeping intruders away from their private information. However, most companies have a tendency to make the same mistakes. John McCormick details the five worst security practices found in businesses both large and small.
--------------------------------------------------------------------------------
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
An individual using a single workstation, a small business with two or three PCs connected to the Net through a high-speed cable modem, the team responsible for the security of an enterprise network: Regardless of an organization's size, they all face the same security challenges keeping intruders away from their private information.
Unfortunately, people tasked with security keep making the same basic mistakes. Since it's once again been a relatively quiet week in the security world, I'm taking this opportunity to list the five worst security practices found in businesses both large and small.
1. Failing to enforce policies
Number one with a bullet is failing to properly set security policies, neglecting to train anyone with access to computers, and especially declining to enforce an established policy.
It's a truism that you get what you reward for and don't see as much of what you forbid. So if your organization wants good security practices, it must establish a clearly enunciated set of policies. Among other things, these policies must define basic usage rules, such as never opening strange e-mails, surfing random sites on personal business, or downloading files from the Web.
But security experts have been saying this for years, so why isn't it working? That's simple: Even when there are policies in place, there are seldom any real consequences for breaking the rules or any reward for those who don't.
There are a few organizations, including
Consider the impact that a significant prize for the employee with the best security record could have on security. For example, everyone could start with 100 points, losing one point for every out-of-policy security mistake, even if it doesn't result in actual damage or loss.
Establishing security policies that are more than a stack of paper and providing employee incentives for such policies could go a long way to helping organizations improve security.
2. Ignoring new vulnerabilities
Second on my list of the worst security mistakes is failing to take appropriate action when new vulnerabilities surface.
Most security managers receive automatic notification of new patches and/or monitor at least one security Web site. A significant number even subscribe to security-related newsletters, such as IT Locksmith, which attempt to filter out the noise and focus on serious problems.
But there is simply so much information available that many people don't even bother to read the alerts they subscribe to. A far smaller number actually adjust policy or perform updates to fix the problems they do learn about.
3. Relying too much on technology
Another big mistake is relying excessively on technological fixes and paying too little attention to actually using them.
For example, if you tell upper management that you've installed the top antivirus software or the latest star in the firewall world, they'll think you've done your job. But unless you've carefully configured that firewall and maintained the antivirus software, you really haven't done much of anything.
Setting up a firewall properly in some environments can be as much art as science. It isn't a set-it-and-forget-it task any more than installing antivirus software ends all your malware worries. Instead, you have to keep tweaking the firewall to meet new needs, sometimes even blocking some ports for a few weeks after a new port scanning epidemic surfaces.
And that goes back to the second biggest mistake you have to pay attention to new security updates and vulnerabilities as they emerge. For example, to keep track of the top 10 ports that would-be attackers are targeting, bookmark this SANS Web page. For antivirus programs, you not only need to update signature files; you must also monitor the need for patches to fix newly disclosed vulnerabilities in the antivirus software itself.
Anti-spyware software is much less complex than antivirus programs, so patches are seldom necessary. However, they require as much attention to downloading the latest database information as do antivirus programs.
Finally, don't forget that all these security utilities become worthless if you ignore the reports they generate.
4. Failing to thoroughly investigate job candidates
The fourth biggest mistake is failing to properly screen job candidates for criminal records or even poor financial decisions, particularly for candidates outside of the IT department.
Americans in particular feel that personal privacy is one of the most important basic human rights, and they tend to respect others' desires for privacy, which often results in a reluctance to investigate the background of job candidates. In fact, a recent IT Locksmith discussion questioned whether it's reasonable to use a person's financial history as a tool in deciding if he or she would make a dependable employee.
Many readers questioned this practice despite the fact that companies have widely employed it for two simple reasons. First of all, if people are careless with their own finances, how well will they protect yours? Second, if someone's under financial pressure, he or she is more subject to outside pressures to indulge in activities that compromise security.
Whether it's due to poor planning, poor impulse control, or simple carelessness, a recent bankruptcy in someone's financial history is always a big red flag unless there's a very good explanation. It may be sad, it may be unfortunate, but it's a common practice because it works.
5. Expecting too much from technical skills
The fifth biggest mistake and this is one I see all the time's an unhealthy reliance on the IT staff's technical skills for security planning.
When choosing someone to head up security, most managers see nothing but the incredible complexity of networks and software, and they then assume the best person for the job is the one with the most technical skills. However, while technical knowledge is necessary, a gut feeling for security along with a healthy dose of paranoia is far more important for the head of security, provided someone on the IT team has the knowledge and skills related to the technical side of software and hardware security.
Having a strong security background from a stint with a university police department and more time with a detective agency, I can often walk through a company and spot a dozen critical security errors, which render all the best software security practices completely useless. If I wanted to compromise some company's IT security, I would either get a job with the cleaning company or fake a UPS or FedEx uniform. I could walk in carrying a big package and simply walk out with what I wanted in the previously empty box. Think about it: Would that work at your business?
Final word
Last week, I listed some recent security breaches in
On March 11, someone walked into a
This theft, as well as the data theft incidents at other
The irony abounds, especially in this quote: "Major sponsorship from The California State University highlights the commitment of the higher education community to understanding and addressing the issues surrounding information security..." I was thinking of attending, but I balked at the idea of providing registry information online!
- 治理评论第一期[01-20]
- 治理评论第二期[01-20]
- 治理评论第五期[01-20]
- 治理评论第六期[01-20]
- 治理评论第三期[01-20]
- 治理评论第四期[01-20]
- 太极凭什么中标12306? [09-26]
- 中国国际航空股份有限公司--书评[11-01]
