While performing a recent vulnerability assessment, I had an epiphany about security. An IT director I was working with, who came across as well-versed in security, started talking about some of the security basics surrounding passwords and passphrases. We all know the basics drilled into our heads over the years: Be sure to have a minimum of eight characters, make it complex and so on. But I soon realized the gentleman I was speaking with was talking about these concepts as if they were new.
Whether it's a top executive, a data entry clerk or even an IT director, you cannot assume others in your organization know about core security essentials.
Then it hit me. The thing about information security basics we all too often take for granted is that you should never ever assume the people in your organization understand fundamental principles. Whether it's a top executive, a data entry clerk or even an IT director, you cannot assume others in your organization know about core security essentials. You can't even assume people know anything about security at all -- that's what makes information security so difficult. As you gain experience and wisdom during your IT career, it will become clear that security is as much about people and communication as it is about anything technical.
As you go about your daily IT work, keep in mind the following areas where dangerous assumptions can be made about security.
- Passwords -- Contrary to popular belief, length matters. But we need to go way longer in terms of passphrases rather than passwords. Changing passwords every 45 to 60 days can create more problems than it solves when users start writing down their passwords.
- Policies -- Mere documentation is not enough. Policies need to be reasonable, enforceable and, most important, enforced.
- Technologies -- Good technologies can make up for many weaknesses in security leadership and procedures. Unfortunately, too many people don't know this or they rely upon it too much.
- Audits and assessments -- The act of passing an audit or vulnerability assessment doesn't mean you're off the hook. There are risks lurking that have yet to be discovered.
- Lawyers and contracts -- Simply having your lawyer's blessing of a contract or SLA doesn't mean you can't get bitten. You still have breaches (I mean "events") to deal with, and you could very well end up in the headlines.
Just because IT is charged with minimizing information risks -- which is a common but backward approach -- doesn't mean your colleagues and business associates know all there is to know about information security. One slip or one mere assumption in any of the five areas listed above can bring a world of security hurt to you and your organization.
It's also important to never assume others will know the right thing to do with their computers and sensitive information. There's a phenomenon called "bystander apathy" that you should consider. Much to our chagrin, many people would rather not think about IT and security at all. People will come and go in your organization. People will also forget basic security principles you talk about. Because it isn't in their job descriptions, many people in your organization don't focus on IT and security all the time like you do.
To combat the general lack of understanding about information security basics in your organization, don't worry about coming across like a broken record. Continue to repeat and discuss the security basics you assume others know about because it's entirely possible they do not. Get people on board with following your organization's basic security policies, and keep them as interested as you can. You also have to keep the security dialogue going because security is not a one-time conversation. By taking these simple actions, you can have a tremendous impact on your organization's security with relatively minimal effort. As the grand law of security goes, it's better to be safe than sorry.
About the author:
Kevin Beaver has worked for himself for more than 11 years as an information security consultant, expert witness and professional speaker with Atlanta-based Principle Logic LLC. He specializes in performing independent security assessments revolving around information risk management and is the author and co-author of many books, including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking for Dummies.