Perimeter

3/29/2012
11:37 AM
50%
50%

Someone Left The Keys In Your Compliance System

Information security is at the mercy of your entire staff's habits

Do your employees leave their car keys in the ignition with the door unlocked? What about leaving their wallets unintended in the cafeteria? Or do they post all of their passwords as Facebook status updates?

Those may seem like outrageous things your staff would never do. Then why is it when we all get to work, it is common to find the organization's important information assets have been left "running with doors unlocked and the keys in the ignition?"

Whether at your business or someone else's, you've all seen the passwords scribbled on Post-It Notes and scraps of paper. Plenty of offices share a common administrative login, and one key on a hook unlocks everything in the office. It makes daily tasks easier to leave things open.

Add to this the social resistance to any increase in security. "You don't trust me! I thought the boss said we were all in this together," is an attitude that will manifest itself as either a loud, vocal protest or a silent, seething resentment.

So if everyone is so trusting of their colleagues, why don't they all leave their keys in their cars and their cash on their desks? I'll tell you why: Their cars and their cash are their personal property; the organization's information and reputation isn't.

Those among your staff trust each other with business assets because it's less effort than treating private information as if it were important personal valuables. "Yes, I know I should be better about security, but I've got all this work to do, and all that security just slows us all down.” In places where security really is overdone (which is a topic for another day), that can be a reasonable point. However, the problem is this excuse is used for almost anything perceived to add even a few seconds to the day's tasks. And, honestly, too many employees don't believe information security is an important part of their routine responsibility.

We may like and trust our colleagues, but even if you have a great team, things change, and people change, too. Desperate times, hidden anger, and other pressures can change someone and urge them to behave in ways that would surprise not only their co-workers, but also themselves. And it only takes one person in a time of weakness or revenge to steal a car or dump private patient data on the Web.

Locking the car and keeping an eye on personal cash does take an extra step. But as it becomes part of our routines, we stop thinking about them much. In the same way, a few extra steps to secure the organization's valuable information become habitual, almost second nature, after they've been repeated several times.

Make it clear to your staff that, like the locks on the car, information security is about keeping the dishonest and unpredictable people out, and the entire company has a part in it. Compliance standards protect a company's staff as much as they protect their companies and their clients; compliance protects their jobs. Once your staff understands this, they are in a mindset to better remember to add a couple of routine, but crucial, tasks to their days -- alongside locking the doors and keeping up with the keys.

Glenn S. Phillips, the president of Forte' Incorporated, works with business leaders who want to leverage technology and understand risks within. He is the author of the book Nerd-to-English and you can find him on twitter at @NerdToEnglish.

Glenn works with business leaders who want to leverage technology and understand the often hidden risks awaiting them. The Founder and Sr. Consultant of Forte' Incorporated, Glenn and his team work with business leaders to support growth, increase profits, and address ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6499
PUBLISHED: 2019-01-21
Teradata Viewpoint before 14.0 and 16.20.00.02-b80 contains a hardcoded password of TDv1i2e3w4 for the viewpoint database account (in viewpoint-portal\conf\server.xml) that could potentially be exploited by malicious users to compromise the affected system.
CVE-2019-6500
PUBLISHED: 2019-01-21
In Axway File Transfer Direct 2.7.1, an unauthenticated Directory Traversal vulnerability can be exploited by issuing a specially crafted HTTP GET request with %2e instead of '.' characters, as demonstrated by an initial /h2hdocumentation//%2e%2e/ substring.
CVE-2019-6498
PUBLISHED: 2019-01-21
GattLib 0.2 has a stack-based buffer over-read in gattlib_connect in dbus/gattlib.c because strncpy is misused.
CVE-2019-6497
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
CVE-2018-18908
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...