Perimeter
3/29/2012
11:37 AM
Connect Directly
RSS
E-Mail
50%
50%

Someone Left The Keys In Your Compliance System

Information security is at the mercy of your entire staff's habits

Do your employees leave their car keys in the ignition with the door unlocked? What about leaving their wallets unintended in the cafeteria? Or do they post all of their passwords as Facebook status updates?

Those may seem like outrageous things your staff would never do. Then why is it when we all get to work, it is common to find the organization's important information assets have been left "running with doors unlocked and the keys in the ignition?"

Whether at your business or someone else's, you've all seen the passwords scribbled on Post-It Notes and scraps of paper. Plenty of offices share a common administrative login, and one key on a hook unlocks everything in the office. It makes daily tasks easier to leave things open.

Add to this the social resistance to any increase in security. "You don't trust me! I thought the boss said we were all in this together," is an attitude that will manifest itself as either a loud, vocal protest or a silent, seething resentment.

So if everyone is so trusting of their colleagues, why don't they all leave their keys in their cars and their cash on their desks? I'll tell you why: Their cars and their cash are their personal property; the organization's information and reputation isn't.

Those among your staff trust each other with business assets because it's less effort than treating private information as if it were important personal valuables. "Yes, I know I should be better about security, but I've got all this work to do, and all that security just slows us all down.” In places where security really is overdone (which is a topic for another day), that can be a reasonable point. However, the problem is this excuse is used for almost anything perceived to add even a few seconds to the day's tasks. And, honestly, too many employees don't believe information security is an important part of their routine responsibility.

We may like and trust our colleagues, but even if you have a great team, things change, and people change, too. Desperate times, hidden anger, and other pressures can change someone and urge them to behave in ways that would surprise not only their co-workers, but also themselves. And it only takes one person in a time of weakness or revenge to steal a car or dump private patient data on the Web.

Locking the car and keeping an eye on personal cash does take an extra step. But as it becomes part of our routines, we stop thinking about them much. In the same way, a few extra steps to secure the organization's valuable information become habitual, almost second nature, after they've been repeated several times.

Make it clear to your staff that, like the locks on the car, information security is about keeping the dishonest and unpredictable people out, and the entire company has a part in it. Compliance standards protect a company's staff as much as they protect their companies and their clients; compliance protects their jobs. Once your staff understands this, they are in a mindset to better remember to add a couple of routine, but crucial, tasks to their days -- alongside locking the doors and keeping up with the keys.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2963
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

CVE-2014-3310
Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

CVE-2014-3311
Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

CVE-2014-3315
Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in viewfilecontents.do in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

CVE-2014-3316
Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.