Security management has a lot to do with details -- staying on top of the latest threats and patching flaws. But sometimes, it has more to do with the big picture and how you approach security management. Here are the top 10 security mistakes I've seen people make:
- 1. Trusting people: The biggest threat to your IT security is ALWAYS the trusted employee. This is especially true of executives because poor personal security practices are just as dangerous (or more dangerous) as having a dishonest employee. If you ever need to cite an example, remember that one former CIA director actually accessed "company" files from his unsecured home PC. President Bill Clinton had to give Director John Deutch a Presidential Pardon to prevent prosecution.
- 2. Thinking your OS/server/Web app/wireless network/whatever is already secure: Having confidence is a wonderful thing in business and life in general, but paranoia is KING in security.
- 3. Failure to confirm that your disaster recovery plan actually works: Is that backup comprehensive? Is it scheduled (and actually done!) frequently enough? Can you restore your business from those backup tapes? And, most critical of all, is the backup kept physically secure and physically separate from your servers?
- 4. Incorrectly prioritizing the protection of specific assets: Few of us have the resources to protect everything completely. In the real world, you need to know what the most important things are to your company so you can protect those assets the most. One size does NOT fit all.
- 5. Failing to convince upper management of the need for security -– especially integrated security: If management doesn't support your measures, you might as well just take your paycheck and ignore real security. You can't have real security if you just add it AFTER designing and developing your network and applications.
- 6. Forgetting that road warriors WILL use unsecured wireless access points: It doesn't matter what rules you make or how draconian the punishment, road warriors WILL ignore security rules when they feel it hurts their bottom line.
- 7. Not properly managing passwords: Make them long and easy to remember -– initial letters of words in a favorite quotation are often a good choice; final letters of those words are even better.
While we are on the subject of passwords, you need to balance the need to re-enter passwords against the fact that the more often users have to key them in, the simpler the passwords they will pick. Once a day is the minimum, but how about after lunch? Or each time a critical application or database is accessed? The answer is that it depends, and it is up to YOU to decide what it depends on.
Keeping passwords, even strong ones, for too long a time is a major mistake. Not only does this give attackers a lot of time to test your system, but once you're hacked, you'll remain vulnerable for a long time.
- 8. Supplying help desk support without thoroughly authenticating callers: Social engineering is still a serious threat.
- 9. Mistaking obscurity for security: People WILL find that Web page you think is hidden -– even if you don't have a search function. Many search engines let people search just a specific URL.
- 10. Writing down ALL your security measures and failing to properly secure that document: There's nothing like finding a guide to hacking a particular network. While you should write everything down, you have to protect that document better than anything else in your company.
Mistakes 11 through 99 are all the same: "Not being paranoid ENOUGH!"
Perhaps the most important security mistake is the one not on this list -- thinking the list doesn't apply to YOU.
I've left out a few obvious items, such as failure to update security software and not monitoring the need for updates, especially security updates -- I presume we are all professionals here. Obviously, this list will need to be adjusted to fit your specific needs, but if you feel I've missed something completely, please add your suggestions in the comments.