Mobile // Mobile Applications
News
8/17/2011
10:49 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

5 Most-Ignored IT Security Best Practices

More than half of IT departments are failing at basic security measures, with 82% falling short on key practices, a new survey shows. Are you on top of these five issues?

Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain
(click image for larger view and for full slideshow)
There's nothing simple about enterprise security, but there are plenty of best practices that can keep most businesses safe from the most likely and pervasive threats. Unfortunately, according to a new study from research firm Echelon One and enterprise key and certificate management company Venafi, more than half of all IT departments are failing at some of the most important security practices. Here are the top 5 things your company could probably do better.

1. Rotate SSH Keys Annually

The most startling statistic in the study shows some 82% of IT departments fail to rotate SSH keys every 12 months. Because the average employee turnover rate is about two years, failure to rotate SSH keys at least once a year leaves critical network infrastructure wide open to malicious access from former staffers.

2. Train Users In Best Practices

The most vulnerable element in any network is almost always the human element. You can patch your servers and beef up your firewall 'til the cows come home, but it'll do limited good if your users click on every phishing message that comes their way. Still, according to the Echelon One study, 77% of companies offer no regular security training to their end users. Venafi recommends that IT departments conduct quarterly training for all users, teaching workers to avoid common security threats through established best practices.

"The Venafi/Echelon One IT security research supports everything we've been seeing and warning against," said Stu Sjouwerman, CEO of security training firm KnowBe4, which has conducted similar research into the vulnerability of workers to phishing attacks. "Companies are not investing in Internet security training; and as a result, they're exposing their networks to potential cyber attacks."

3. Encrypt Cloud Data

It sounds like such an obvious blunder, but 64% of IT organizations don't encrypt all of their cloud data and cloud transactions. The reason, according to the study, is that many cloud applications do not encrypt by default. Clearly, most IT pros need to do a better job of checking and managing the security settings on the public cloud services that handle their data.

4. Use Appropriately Strong Encryption Keys

While the Echelon One study found that most businesses do fairly well at enforcing encryption policies generally, it found that the majority of companies do not use appropriately strong encryption keys. According to a February 2011 report from the National Institute of Standards and Technology, 1024-bit encryption keys have depreciated in effectiveness, and 2048-bit encryption should be used for all symmetric keys. Only 44% of IT departments use recommended key strengths, according to the study from Echelon One and Venafi.

5. Have A Plan For Replacing Breached Certificate Authorities

Nearly every business uses digital certificates to authenticate a host of network services, many of which are critical to revenue flow. Digital certificates are vulnerable to fraud, and must be replaced when compromised. Surprisingly, Echelon One said a majority of IT departments--55%--have no management processes in place to ensure business continuity by quickly replacing a compromised certificate and its accompanying encryption keys.

At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.