10 Stupid Moves That Threaten Your Company's Security - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
IT Leadership
News
1/25/2016
07:06 AM
Dawn Kawamoto
Dawn Kawamoto
Slideshows
50%
50%

10 Stupid Moves That Threaten Your Company's Security

As you walk through the door of your company each morning, you are potentially poised to be the weakest link in your organization's defense against hackers and malicious attackers. Here are the 10 boneheaded moves you make -- often without realizing the security risk.
Previous
1 of 11
Next

(Image: alengo/iStockphoto)

(Image: alengo/iStockphoto)

Despite companies spending billions of dollars on information security technology, it turns out that the greatest threat to their security may be you -- their clueless employee.

Granted, employees' intentions are not always meant to be malicious, but, rather, it's often a case of boneheaded maneuvers, say security experts.

And employees, as a collective group, account for a wide swath of the confidential data loss at companies, according to a recent study. Of the 5,564 IT professionals queried in the Global IT Security Risks Survey by Kaspersky Lab and B2B International, 73% were affected by internal security incidents. It turns out that employees were the largest single group that created this confidential data loss, accounting for 42% of the incidents.

"It is staggering how often this happens," said Andrey Pozhogin, senior product marketing manager from Kaspersky, in reference to the frequency of employees creating this data loss.

Rob Sadowski, technology solutions director at RSA, the security division of storage titan EMC, noted, "End users are the front line of defense. The first stage of an attack is to gain a foothold in the organization. It's not to circumvent (the security system in place) but to gain access…Once access is gained, then the attack begins and it's off to the races and the threat spiders out."

[Read Encryption Debate: 8 Things CIOs Should Know.]

And what are companies doing to educate their employees on security issues, given they are the first line of defense? An estimated 75% of companies with more than 100 employees have some sort of training, said Chester Wisneiwski, a senior security advisor at security firm Sophos. That training can range from selecting a complex password to an awareness of phishing attacks, which is when an attacker tries to lure a user to click on a link to a malicious website or download an attachment loaded with nefarious code, like software that will log a user's keystrokes.

Wisneiwski added that the larger the company, generally, the more extensive the training program. He added that the type of industry a company is in will also make a difference, noting even small companies in the tech sector usually have some form of security training.

That said, however, Wisneiwski noted, "A lawyer, an accountant, or someone in marketing will...never be computer nerds." As a result, here are 10 boneheaded moves to avoid to reduce your chances of becoming the weakest security link at your company. Are you guilty of any of these missteps? Did we leave any out? What are you doing at your company to minimize potential security risks? Let us know in the comments.

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Previous
1 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:23:38 AM
Backup
Another issue with lazy encryption is failing to encrypt backup systems.  This was one of the big facepalms from the Adobe hack of a couple of years ago, when the operational systems were properly encrypted by the backup systems were not.
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Author
1/26/2016 | 11:26:29 AM
Re: Even Password Management tools can cause problems.
It is axiomatic that if your security interferes too much with your accessibility (i.e., your ability to "just make it work"), then your users/employees will resent your security measures and try to undermine it and find ways around it.

Good security isn't just having a big lock.  It's also having a lock that people WANT to use and WILL use.  The lock does no good if it's so burdensome to use that people would rather just leave it unused and collecting dust.

Case in point: Policies that make you change your password every three months (if not more frequently).  This is how you get passwords like "mypassword1" "mypassword2" "mypassword3" and so on.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/27/2016 | 7:43:02 PM
Re: Even Password Management tools can cause problems.
> "So I cycle a base password from 1 to 32 and then reuse again. What else are you going to do?"

Have a more reasonable password policy and more reasonable IT department as a whole?  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/27/2016 | 7:44:59 PM
Re: Even Password Management tools can cause problems.
But, for sake of argument, could an IP thief not just sell the information for $500k to a competitor with the necessary infrastructure to make that $5mil. in profit no sweat?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/28/2016 | 12:36:48 PM
Re: Backup
The important thing about encryption that a lot of laypeople (and even non-laypeople) forget is that if an attacker is successfully able to compromise and/or spoof authentication, then the encryption does no good; it's already unlocked.

Thus the need for multiple layers of security as opposed to M&M security (hard on the outside, soft in the middle).
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/28/2016 | 12:37:51 PM
Re: Even Password Management tools can cause problems.
@nomil: Ah, see, I'm not an experienced black-hatter, so I don't know these things.  ;)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/29/2016 | 8:52:24 AM
Re: Most Overlooked Security Flaw
GaryS: Additionally, many organizations fail to properly and completely destroy data.  "Delete" -- or even reformatting -- does not eliminate all data.  While there are more effective ways to do it "in software", complete physical destruction of the drives is usually the best (and often the only) way.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/30/2016 | 11:03:37 AM
Re: Even Password Management tools can cause problems.
@TerryB: Your tale/experiences remind me of an incident a few years ago when some disgruntled (possibly former...I don't quite recall) Coca-Cola employees stole and offered to sell the secret Coca-Cola recipe to Pepsi.

Pepsi played along -- while immediately contacting Coca-Cola and the FBI.  They all set up a sting to catch and arrest the Coca-Cola IP thieves.

And, of course, it wouldn't really have benefited Pepsi to take the deal in the first place.  There's a terrific economic analysis on why Pepsi buying and somehow leveraging Coca-Cola's formula would have only hurt both companies in the long run -- driving them to RTTB brinksmanship.  The blogger explains it better than I can, and his piece can be read here: freakonomics.com/2006/07/07/how-much-would-pepsi-pay-to-get-cokes-secret-formula/
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/30/2016 | 11:49:47 AM
Re: Even Password Management tools can cause problems.
@TerryB: Incidentally, I was under the impression that YKK manufactured something like 97% of the world's zippers.  Is that figure wrong/no longer correct?
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Author
1/31/2016 | 10:34:34 AM
Re: Even Password Management tools can cause problems.
Indeed, after hearing that statistic several years ago, I started paying more attention to my zippers.


Sure enough, they all say "YKK" on them.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Commentary
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
News
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll