People fence their houses, buy cars with airbags and install smoke alarms in their homes. But ask them to protect their company's most valuable asset - its data - and you would think the word security is new to them or erased from their vocabulary.
For some unclear reason, people are more careless with data protection than any other thing of value in their lives. Some of the more common errors that people - including IT professionals - commit when it comes to data protection include:
1. The Post-it Note. Yes, those sticky yellow things. Up to 20% of users leave their passwords where they - and everyone else - can see them: stuck to the front of their monitors in their offices. The more passwords required to access different systems, the higher the possibility the Post-it-Note will be used.
2. We know better. You may think certain security measures are necessary, but not all end-users in a company agree. People turn things like anti-virus software off, thinking it slows down their machine. The challenge to the Information Security Officer is to educate users to be security-aware.
3. Leaving the machine on, unattended. IT managers are perpetually amazed at the number of users who leave their machines on and walk away. Who needs a password? A simple mechanism such as an automatic log-out screen saver could minimise the risk, but is seldom used.
4. Opening e-mail attachments (remember the Love Bug virus?) from mere acquaintances or even strangers. This one can drive IT managers nuts. A simple e-mail security policy would empower the security administrator to stop dangerous attachment types at the virus/content scanning level.
5. Poor password selection. If there is a bugbear among security experts, it is poorly chosen passwords. Try taking a common phrase and using its initials for a password. For example: 'When two worlds drift apart' becomes 'w2wda'. That is a more difficult password to break because it is a combination of letters and numbers.
6. Loose tongues. People often talk in public places about things they should not. They will say at a bar, 'I changed my password and added the number 2,' and someone sitting close by hears this. Some things you just should not talk about outside the office.
7. Laptops have legs. Everyone knows how common it is for laptops to be stolen in public places, but it is common for people to leave their laptops in their offices, unsecured and unattended, and in full view. Users should place their laptop securely out of sight, such as in a locked desk drawer.
8. Poorly enforced security policies. The best-designed security plans and mechanisms are useless if IT fails to rigorously enforce them. Security policies must be merged with daily operational procedures.
9. In-house issues. Your biggest threat is from in-house. Disgruntled employees can cause enormous problems if they are not properly monitored. Proper security policies are vital to control employee actions and back up any possible legal action.
10. Being slow to update security information. Service packs are often not kept up-to-date, which creates a window of opportunity for hackers. Consider outsourcing this function, as the time, effort and risk of trying to stay up to date in-house is rarely worth the cost.
Companies must determine their data protection needs by profiling their risks before they go and buy more sophisticated security tools. While security holes account for most successful break-ins, it is critical that the 'people-factor' be monitored as well.
For details contact Gerrie Venter of Nanoteq on tel: (012) 672 7000, fax: (012) 665 1343 or e-mail: firstname.lastname@example.org