Enterprise IT Watch Blog

Sep 16 2010   8:36AM GMT

The Seven Deadly Enterprise Security Sins, Part II

Michael Morisy Michael Morisy Profile: Michael Morisy

Last week, the IT Watch Blog took a look at the first three of the Seven Deadly Security Sins. Today, we reveal the other transgressions that are costing companies millions of dollars and putting the privacy and security of their employees and customers at risk.

Pride

I’ve seen it happen again and again, in businesses small and large. The thinking begins to go: Sure, security compromises happen, but they always happen to them. My users aren’t stupid enough to download that 3D screensaver, and I’ve dotted all my I’s and crossed all my T’s. Yes, a comprehensive security strategy would be nice, but the company has actually pressing IT needs that need to be met now.

This exact scenario played out in the small business a friend runs IT for, with the “comprehensive security plan” sitting firmly near the bottom of the to do list since last January. Until the CEO did download that malware, at which point (much too late) it was discovered that the CEO not only had compromised his e-mail account, but every other account he had, by re-using the same password again and again and where the password wasn’t reused, he stored the other passwords insecurely in his e-mail.

ComputerWorld‘s Roger Grimes offers up some necessarily humbling advice: Security rule No. 1: Assume you’re hacked. Whether you’ve been doing security for 20 years or 2 months, or it simply falls under your domain as the “all-around IT guy,” you’re never going to be good enough to stop every threat, and so it’s essential you lose the pride and admit that, as Forrester’s Andrew Jaquith notes, security is about risk management, not risk elimination.

Lust

One major change that has occurred in the past decade is the permissiveness of corporate culture to bringing electronic toys to the workplace, including iPhones, iPods and thumb drives. Part of it has been driven from the top, with CEOs wanting to use their own tech, damn the consequences, and part of it has been driven from the bottom, with millennials playing by their own rules, also damn the consequences.

But all this gadget lust opens innumerable security risks, from viruses skipping e-mail filters via flash drive or other devices that act as external storage, to sensitive data being taken off the Intranet, out of site and into the wild by users looking for a simpler workaround.

And the risk doesn’t end with the lust for physical devices: As our own members noted, users trying to do their own “upgrades” by forwarding their e-mail to slick services like GMail can cause all kinds of havoc.

Envy

While it’s understandable that end users cause their fair of trouble, IT professionals’ own lusts can be just as troublesome.  Cloud computing, anyone?

As Vivian Yeo reported, an ‘instant noodle’ mindset has taken over some shops, putting security out to pasture:

Such “instant noodle” mentality, where organizations want to quickly roll out their cloud deployments at the expense of security, is the “biggest mistake” in the era of collaboration and connectivity, said Anthony Lim, evangelist and representative of the International Information Systems Security Certification Consortium, or (ISC)2. He is also Asia-Pacific director for security solutions at IBM Singapore’s Rational Software business unit.

Speaking at a security conference here Tuesday organized by market analyst IDC, Lim noted that cloud security considerations typically cover three areas: confidentiality, integrity and availability. However, he said, not enough attention is paid to the first two aspects.

Sure, every marketing droid this side of 2005 is droning on about cloud, but that doesn’t mean you can jump on the bandwagon before kicking the wheels a time or two.

Gluttony

Gluttony is perhaps the most perverse of the 7 Deadly Security Sins, almost paradoxical in its execution: Too much security can actually undermine itself. User after user has told me that they simply work harder and harder to route around the security systems in place if those restrictions are too onerous, opening up whole new security vectors that the original plans might not have taken into place, from the aforementioned thumb drives to furtive DropBox accounts to simply using personal e-mail accounts to route sensitive data without tripping misconfigured systems that flag it when going through the “proper channels,” even in approved scenarios.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

1  Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Michael Morisy
    [...] agency. Folks, think long and hard about this kind of stuff (the rest of the story) before jumping on the cloud computing bandwagon. Once things are out of your control in the cloud, it’s a different story [...]
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: