Despite all the attention you have to give to phishing and spyware, security leaders can't lose sight of all the mundane, but critical, security requirements, says columnist Wayne Rash.
Just about anywhere you look these days, including in this column, you’ll find lots of information about the threat of the moment, including spyware, phishing, a worm, or whatever. And while it’s important you know about these things that can burn you, what’s really important is keeping your eye on your overall security practices, and not getting distracted by the continual hype.
That sound advice, and more, is included in a new survey released by authentication software provider TriCipher, Inc.. The survey showed, among other things, that security managers are dealing with the same worries that have been on their collective plates for some time. These include managing passwords, dealing with remote access, and getting enough budget support to pay for the requirements you're expected to meet.
The survey also shows that managers at most companies are more worried about the potential loss of reputation that comes from a security leak than they are about the impact on their customers, or the more recent--but still very real--possibility that they or their bosses could face criminal charges or even have their companies shut down because of a security failure.
While the survey isn’t a scientific study, it was Web based and the respondents were customers and prospective customers, the company believes it reflects reality.
“The results are consistent with an earlier survey,” said Sally Sheward, VP of product marketing and business development for TriCipher. Sheward notes it’s really the day-to- day issues that continue to plague security managers. “Forty four percent said that password related vulnerabilities were their biggest problem,” she said. “Companies know passwords aren’t working,” she added, explaining that cost constraints prevent many enterprises from moving to something better.
Security managers are also worried about vulnerabilities created by remote employees and business partners. On one hand, they know that their companies have to provide some means of access so that employees who are on travel or work in off-site locations can do their work. On the other, they worry that those remote employees will be using computers that carry viruses or other malicious software that could be introduced to their networks. They worry about the same thing with their business partners who must have access to some parts of their networks to streamline buying and selling.
But oddly enough, most security managers aren’t too worried about their customers.
“Only five percent said that consumer authentication was an issue,” Sheward said, “It’s not an area where they see a lot of problems.” Sheward also related that respondents are not worried about phishers breaking into the network. “Most phishing attacks have been from larger banks and institutions,” she said, “the actual direct financial losses are not huge. They may get there, but they’re not huge yet.”
Sheward noted that most security managers do realize that adopting good security practices will reduce or eliminate most external security threats. The single most important step Sheward suggests is that companies require employees to use a computer provisioned by the company to access the network.
Such a requirement has two benefits: The first is that it ensures that the employee has the tools they need to operate securely. For example, your company could install an authentication system as well as other tools including anti-virus software. You can also install and require the use of an endpoint security package such as Sygate Secure Enterprise that acts as a strong personal firewall, a secure VPN, and enforces your security standards. TriCipher's solution, meanwhile, requires that employees log on only from their company-provisioned computer because it stores part of the authentication key on that machine.
This practice eliminates the possibility that employees will gain access to the network from their teenager’s malware-ridden computer, as well as from insecure sites such as airport kiosks. And, of course, the practice eliminates the possibility of unauthorized access, whether it’s from hackers, competitors, spyware or phishers, or simply users who don’t want to follow the rules.
But there are other things you should also be doing to make sure the basics are being covered in security efforts. Those include periodic audits of security practices, and of your enterprise. You likely need to prove you’ve complied with the security requirements of Sarbanes-Oxley, HIPAA, and the security standards of Visa, MasterCard and American Express.
While those concerns weren’t mentioned in the survey, they are very real emerging requirements, and perhaps more important to you than the others. Fail to comply with SOX, for example, and your executives could be charged as criminals. Fail to comply with the requirements of the credit card companies, and you could lose some big business, as CardSystems discovered in July after Visa and American Express pulled the plug on their business relationship claiming the payment processing vendor had failed to comply with security standards.
And, of course, there’s also the challenge of making sure that your security practices are not only effective and compliant, but also something your users will actually use.
Password requirements that are too onerous, for example, will result in passwords being written down and stuck to monitors or desktops. Remote access controls that are difficult to use will mean that employees are wasting time getting through the security provisions instead of working.
And, of course, security products that don’t work the way your company works will mean that you and your employees must change their practices. Such an example recently happened when some instant messaging software wouldn’t work with a popular personal firewall after it was updated. Companies that use instant messaging for its efficiency could find themselves suddenly without that medium.
What this all means is that while it may be 'boring,' the basics of good security are necessary. Rather than seeking out yet another anti-spyware package, why not just make sure your firewall will defeat spyware? Why not just make sure that your employees are using properly provisioned and secure computers? Making things harder than they need to be is also a security threat, after all. But fortunately, the means to have both security and ease of use do exist, provided you pay attention to the basics.
Wayne Rash is a writer based near Washington, DC. He was one of the first to create secure networks for the military and for other government organizations, and he has written about security for over twenty years. You can reach him at firstname.lastname@example.org. Contact the editor of Security Pipeline at email@example.com.
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.