10 Stupid Moves That Threaten Your Company's Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership
News
1/25/2016
07:06 AM
Dawn Kawamoto
Dawn Kawamoto
Slideshows

10 Stupid Moves That Threaten Your Company's Security

As you walk through the door of your company each morning, you are potentially poised to be the weakest link in your organization's defense against hackers and malicious attackers. Here are the 10 boneheaded moves you make -- often without realizing the security risk.
2 of 11

Lazy Encryption
Although companies may encrypt their corporate financial information or valuable intellectual property, it doesn't do any good if the employee who is accessing the encrypted information forgets to return the device to a state where you have to enter the code when they step away from the computer of smartphone. 'I was in Starbucks and a guy had his financial spreadsheet on his laptop, but left his computer on the table while he got his coffee. I see this happen often,' Wisneiwski said. 'In order for encryption to the useful, you have to lock your screen...I think people think encryption is magic and their device is protected all the time.'

Surprisingly, 30% of the 1,700 IT decision makers who were polled in a recent Sophos survey indicated their organization failed to always encrypt their corporate financial information, and 41% said they only occasionally encrypted files filled with valuable intellectual property.

(Image: Tony Webster via Flickr)

Lazy Encryption

Although companies may encrypt their corporate financial information or valuable intellectual property, it doesn't do any good if the employee who is accessing the encrypted information forgets to return the device to a state where you have to enter the code when they step away from the computer of smartphone. "I was in Starbucks and a guy had his financial spreadsheet on his laptop, but left his computer on the table while he got his coffee. I see this happen often," Wisneiwski said. "In order for encryption to the useful, you have to lock your screen...I think people think encryption is magic and their device is protected all the time."

Surprisingly, 30% of the 1,700 IT decision makers who were polled in a recent Sophos survey indicated their organization failed to always encrypt their corporate financial information, and 41% said they only occasionally encrypted files filled with valuable intellectual property.

(Image: Tony Webster via Flickr)

2 of 11
Comment  | 
Print  | 
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/31/2016 | 10:34:34 AM
Re: Even Password Management tools can cause problems.
Indeed, after hearing that statistic several years ago, I started paying more attention to my zippers.


Sure enough, they all say "YKK" on them.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/30/2016 | 11:49:47 AM
Re: Even Password Management tools can cause problems.
@TerryB: Incidentally, I was under the impression that YKK manufactured something like 97% of the world's zippers.  Is that figure wrong/no longer correct?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/30/2016 | 11:03:37 AM
Re: Even Password Management tools can cause problems.
@TerryB: Your tale/experiences remind me of an incident a few years ago when some disgruntled (possibly former...I don't quite recall) Coca-Cola employees stole and offered to sell the secret Coca-Cola recipe to Pepsi.

Pepsi played along -- while immediately contacting Coca-Cola and the FBI.  They all set up a sting to catch and arrest the Coca-Cola IP thieves.

And, of course, it wouldn't really have benefited Pepsi to take the deal in the first place.  There's a terrific economic analysis on why Pepsi buying and somehow leveraging Coca-Cola's formula would have only hurt both companies in the long run -- driving them to RTTB brinksmanship.  The blogger explains it better than I can, and his piece can be read here: freakonomics.com/2006/07/07/how-much-would-pepsi-pay-to-get-cokes-secret-formula/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/29/2016 | 8:52:24 AM
Re: Most Overlooked Security Flaw
GaryS: Additionally, many organizations fail to properly and completely destroy data.  "Delete" -- or even reformatting -- does not eliminate all data.  While there are more effective ways to do it "in software", complete physical destruction of the drives is usually the best (and often the only) way.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/28/2016 | 12:37:51 PM
Re: Even Password Management tools can cause problems.
@nomil: Ah, see, I'm not an experienced black-hatter, so I don't know these things.  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/28/2016 | 12:36:48 PM
Re: Backup
The important thing about encryption that a lot of laypeople (and even non-laypeople) forget is that if an attacker is successfully able to compromise and/or spoof authentication, then the encryption does no good; it's already unlocked.

Thus the need for multiple layers of security as opposed to M&M security (hard on the outside, soft in the middle).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/27/2016 | 7:44:59 PM
Re: Even Password Management tools can cause problems.
But, for sake of argument, could an IP thief not just sell the information for $500k to a competitor with the necessary infrastructure to make that $5mil. in profit no sweat?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/27/2016 | 7:43:02 PM
Re: Even Password Management tools can cause problems.
> "So I cycle a base password from 1 to 32 and then reuse again. What else are you going to do?"

Have a more reasonable password policy and more reasonable IT department as a whole?  ;)
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:26:29 AM
Re: Even Password Management tools can cause problems.
It is axiomatic that if your security interferes too much with your accessibility (i.e., your ability to "just make it work"), then your users/employees will resent your security measures and try to undermine it and find ways around it.

Good security isn't just having a big lock.  It's also having a lock that people WANT to use and WILL use.  The lock does no good if it's so burdensome to use that people would rather just leave it unused and collecting dust.

Case in point: Policies that make you change your password every three months (if not more frequently).  This is how you get passwords like "mypassword1" "mypassword2" "mypassword3" and so on.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:23:38 AM
Backup
Another issue with lazy encryption is failing to encrypt backup systems.  This was one of the big facepalms from the Adobe hack of a couple of years ago, when the operational systems were properly encrypted by the backup systems were not.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Becoming a Self-Taught Cybersecurity Pro
Jessica Davis, Senior Editor, Enterprise Apps,  6/9/2021
News
Ancestry's DevOps Strategy to Control Its CI/CD Pipeline
Joao-Pierre S. Ruth, Senior Writer,  6/4/2021
Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll