Perimeter

3/29/2012
11:37 AM
50%
50%

Someone Left The Keys In Your Compliance System

Information security is at the mercy of your entire staff's habits

Do your employees leave their car keys in the ignition with the door unlocked? What about leaving their wallets unintended in the cafeteria? Or do they post all of their passwords as Facebook status updates?

Those may seem like outrageous things your staff would never do. Then why is it when we all get to work, it is common to find the organization's important information assets have been left "running with doors unlocked and the keys in the ignition?"

Whether at your business or someone else's, you've all seen the passwords scribbled on Post-It Notes and scraps of paper. Plenty of offices share a common administrative login, and one key on a hook unlocks everything in the office. It makes daily tasks easier to leave things open.

Add to this the social resistance to any increase in security. "You don't trust me! I thought the boss said we were all in this together," is an attitude that will manifest itself as either a loud, vocal protest or a silent, seething resentment.

So if everyone is so trusting of their colleagues, why don't they all leave their keys in their cars and their cash on their desks? I'll tell you why: Their cars and their cash are their personal property; the organization's information and reputation isn't.

Those among your staff trust each other with business assets because it's less effort than treating private information as if it were important personal valuables. "Yes, I know I should be better about security, but I've got all this work to do, and all that security just slows us all down.” In places where security really is overdone (which is a topic for another day), that can be a reasonable point. However, the problem is this excuse is used for almost anything perceived to add even a few seconds to the day's tasks. And, honestly, too many employees don't believe information security is an important part of their routine responsibility.

We may like and trust our colleagues, but even if you have a great team, things change, and people change, too. Desperate times, hidden anger, and other pressures can change someone and urge them to behave in ways that would surprise not only their co-workers, but also themselves. And it only takes one person in a time of weakness or revenge to steal a car or dump private patient data on the Web.

Locking the car and keeping an eye on personal cash does take an extra step. But as it becomes part of our routines, we stop thinking about them much. In the same way, a few extra steps to secure the organization's valuable information become habitual, almost second nature, after they've been repeated several times.

Make it clear to your staff that, like the locks on the car, information security is about keeping the dishonest and unpredictable people out, and the entire company has a part in it. Compliance standards protect a company's staff as much as they protect their companies and their clients; compliance protects their jobs. Once your staff understands this, they are in a mindset to better remember to add a couple of routine, but crucial, tasks to their days -- alongside locking the doors and keeping up with the keys.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.