Perimeter

3/29/2012
11:37 AM
50%
50%

Someone Left The Keys In Your Compliance System

Information security is at the mercy of your entire staff's habits

Do your employees leave their car keys in the ignition with the door unlocked? What about leaving their wallets unintended in the cafeteria? Or do they post all of their passwords as Facebook status updates?

Those may seem like outrageous things your staff would never do. Then why is it when we all get to work, it is common to find the organization's important information assets have been left "running with doors unlocked and the keys in the ignition?"

Whether at your business or someone else's, you've all seen the passwords scribbled on Post-It Notes and scraps of paper. Plenty of offices share a common administrative login, and one key on a hook unlocks everything in the office. It makes daily tasks easier to leave things open.

Add to this the social resistance to any increase in security. "You don't trust me! I thought the boss said we were all in this together," is an attitude that will manifest itself as either a loud, vocal protest or a silent, seething resentment.

So if everyone is so trusting of their colleagues, why don't they all leave their keys in their cars and their cash on their desks? I'll tell you why: Their cars and their cash are their personal property; the organization's information and reputation isn't.

Those among your staff trust each other with business assets because it's less effort than treating private information as if it were important personal valuables. "Yes, I know I should be better about security, but I've got all this work to do, and all that security just slows us all down.” In places where security really is overdone (which is a topic for another day), that can be a reasonable point. However, the problem is this excuse is used for almost anything perceived to add even a few seconds to the day's tasks. And, honestly, too many employees don't believe information security is an important part of their routine responsibility.

We may like and trust our colleagues, but even if you have a great team, things change, and people change, too. Desperate times, hidden anger, and other pressures can change someone and urge them to behave in ways that would surprise not only their co-workers, but also themselves. And it only takes one person in a time of weakness or revenge to steal a car or dump private patient data on the Web.

Locking the car and keeping an eye on personal cash does take an extra step. But as it becomes part of our routines, we stop thinking about them much. In the same way, a few extra steps to secure the organization's valuable information become habitual, almost second nature, after they've been repeated several times.

Make it clear to your staff that, like the locks on the car, information security is about keeping the dishonest and unpredictable people out, and the entire company has a part in it. Compliance standards protect a company's staff as much as they protect their companies and their clients; compliance protects their jobs. Once your staff understands this, they are in a mindset to better remember to add a couple of routine, but crucial, tasks to their days -- alongside locking the doors and keeping up with the keys.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.
CVE-2018-20154
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated users to discover all subscriber e-mail addresses.
CVE-2018-20155
PUBLISHED: 2018-12-14
The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated subscriber users to bypass intended access restrictions on changes to plugin settings.