Last week, the IT Watch Blog took a look at the first three of the Seven Deadly Security Sins. Today, we reveal the other transgressions that are costing companies millions of dollars and putting the privacy and security of their employees and customers at risk.
I’ve seen it happen again and again, in businesses small and large. The thinking begins to go: Sure, security compromises happen, but they always happen to them. My users aren’t stupid enough to download that 3D screensaver, and I’ve dotted all my I’s and crossed all my T’s. Yes, a comprehensive security strategy would be nice, but the company has actually pressing IT needs that need to be met now.
This exact scenario played out in the small business a friend runs IT for, with the “comprehensive security plan” sitting firmly near the bottom of the to do list since last January. Until the CEO did download that malware, at which point (much too late) it was discovered that the CEO not only had compromised his e-mail account, but every other account he had, by re-using the same password again and again and where the password wasn’t reused, he stored the other passwords insecurely in his e-mail.
ComputerWorld‘s Roger Grimes offers up some necessarily humbling advice: Security rule No. 1: Assume you’re hacked. Whether you’ve been doing security for 20 years or 2 months, or it simply falls under your domain as the “all-around IT guy,” you’re never going to be good enough to stop every threat, and so it’s essential you lose the pride and admit that, as Forrester’s Andrew Jaquith notes, security is about risk management, not risk elimination.
One major change that has occurred in the past decade is the permissiveness of corporate culture to bringing electronic toys to the workplace, including iPhones, iPods and thumb drives. Part of it has been driven from the top, with CEOs wanting to use their own tech, damn the consequences, and part of it has been driven from the bottom, with millennials playing by their own rules, also damn the consequences.
But all this gadget lust opens innumerable security risks, from viruses skipping e-mail filters via flash drive or other devices that act as external storage, to sensitive data being taken off the Intranet, out of site and into the wild by users looking for a simpler workaround.
And the risk doesn’t end with the lust for physical devices: As our own members noted, users trying to do their own “upgrades” by forwarding their e-mail to slick services like GMail can cause all kinds of havoc.
While it’s understandable that end users cause their fair of trouble, IT professionals’ own lusts can be just as troublesome. Cloud computing, anyone?
As Vivian Yeo reported, an ‘instant noodle’ mindset has taken over some shops, putting security out to pasture:
Such “instant noodle” mentality, where organizations want to quickly roll out their cloud deployments at the expense of security, is the “biggest mistake” in the era of collaboration and connectivity, said Anthony Lim, evangelist and representative of the International Information Systems Security Certification Consortium, or (ISC)2. He is also Asia-Pacific director for security solutions at IBM Singapore’s Rational Software business unit.
Speaking at a security conference here Tuesday organized by market analyst IDC, Lim noted that cloud security considerations typically cover three areas: confidentiality, integrity and availability. However, he said, not enough attention is paid to the first two aspects.
Sure, every marketing droid this side of 2005 is droning on about cloud, but that doesn’t mean you can jump on the bandwagon before kicking the wheels a time or two.
Gluttony is perhaps the most perverse of the 7 Deadly Security Sins, almost paradoxical in its execution: Too much security can actually undermine itself. User after user has told me that they simply work harder and harder to route around the security systems in place if those restrictions are too onerous, opening up whole new security vectors that the original plans might not have taken into place, from the aforementioned thumb drives to furtive DropBox accounts to simply using personal e-mail accounts to route sensitive data without tripping misconfigured systems that flag it when going through the “proper channels,” even in approved scenarios.