The Security Blanket
Throughout my experience in the information security industry, I have come into contact with individuals who seem to like the idea of having quality security controls in place, but simply do not want to deal with the reality of the information environment we live in. In a way, these folks are like Linus from Peanuts, content as long as they have their security blanket, but not ready to face the reality of whether or not said blanket provides anything significant in the way of actual security.
The following are a few examples of security blankets that I have heard people use to defend the position for not paying more attention to properly securing their business:
- We have passwords required for any employee logging into our systems.
- And…. that is where the control ends. No process is in place to ensure that passwords are managed securely or that the password transmission channels are protected against sniffing. Strong passwords are important, but it is far easier for an intruder to “sniff” the password or use other methods to obtain it (e.g., a keystroke logger) than to crack the password directly. Note: this is no excuse not to enforce the use of strong passwords, but relying on passwords alone will not provide you with the risk-reducing security that many believe they do.
- I have a firewall in place that protects my company’s network.
- Excellent, this is really a bare-minimum control and should be in place at every company (and consumer networks). The problem here is that too often in the small business environment this is where the effort stops: a firewall is purchased and installed. For a firewall to be effective, it needs to be configured properly, maintained with the latest updates (including signatures/definition if additional features like IDS or anti-virus are utilized), and monitored.
- Our laptops are fully encrypted.
- Encrypting your computers with a solution like BitLocker or TrueCrypt is a great control if managed properly and your employees are trained on the solution. For instance, the drives are encrypted when the system is powered off, but an intruder that snags your powered on laptop from your table at a café while you are grabbing another caffeine fix will not be stopped as the drive is not currently encrypted. Unfortunately, another common issue I have seen is companies that encrypt hard drives, but store the recovery keys on unencrypted media such as a network file share.
- My company is too small; there is no way that we are a target.
- This is one of my favorites. Time and again this has been proven false by reports ranging from Verizon’s annual security report to the Ponemon reports, yet I still hear business owners insisting that it (in information security breach) will not happen to them and that they will just “accept” the associated business risk and continue along with business as usual. The problem here is that you cannot accept business risk if you have no idea what the risk really is. It is important to at least analyze the situation with open eyes and perform a risk assessment (we call this ‘due diligence’) prior to writing off any risk.
It takes a lot of energy to effectively run the various aspects involved in operating a successful business. Sometimes the greatest roadblocks that upper management encounter are themselves. Whether we are discussing security, innovation, or just improving basic business processes, apathy can cause smart managers to forego evaluating risk areas within their business that can have a significant impact on their operations and future growth. Spending energy up front to properly evaluate the risk and control environment can not only provide relief from future migraines, but help avoid opportunity loss and even prevent asset loss.
In closing, the above is only effective if management has a desire to understand their risk and is willing to face difficult truths. While we all know the importance of a leader being supported by excellent advisors; it is equally important that leaders utilize the advice given and act accordingly.