The Top Five Security Mistakes Businesses Keep Making

I see several categories of mistakes over and over when I assess security for businesses, perform penetration tests or security audits, and when I design new security solutions. Some of these seem to be like the proverbial last hurdle. Businesses do so well with so many other security items, but can't find the time, budget, or management initiative to get some of these done. Since some of the security catastrophes that can result are infrequent, it may seem that they are non-issues. Trust that eventually these mistakes will manifest in an incident, just as eventually the dealer will draw a royal flush if you just keep playing poker long enough.

Let's take a look at these recurring mistakes. Granted, your business may not be making them, but I find that these seem to persist and never quite get solved entirely.

5. They Don't Require Complex Passwords

Passwords are the eternal support ticket. If passwords aren't complex enough, they can be cracked quite easily. If they are "too complex" then the helpdesk or support staff is constantly working with users to unlock accounts or reset passwords. Finding the appropriate level of complexity and training users is so basic, yet I often only see complex passwords enforced at large enterprises.

4. They Don't Have Intrusion Detection & Prevention

Stopping a cracking attempt or intrusion before it is successful is far better than discovering it has happened after the fact. Designing, integrating, and using an Intrusion Detection and Intrusion Prevention system properly can stop attacks before they become incidents. Yet I see businesses without IDS, or only with IDS where it suits them.

3. They Don't Use Multi-Factor Authentication

Suppose a criminal shoulder surfs and obtains the password of a user with access to extremely valuable, sensitive data. Wouldn't it be great to know that the password by itself was useless? Two-factor authentication makes that possible. Yes, it's extra work and expense to set up, and requires a bit more training, but once users are used to it, it's second nature.

2. They Don't Encrypt Remote Data

The hassle for remote users to enter a password every time their computer starts up, in addition to their system network, or remote access password may seem like a hassle to them. The expense and complexity of dongles or keycards may seem like overkill. The extra security layer of an IPSec VPN may seem unneeded if remote applications have some security measures. Encrypting remote communications and remote data is important if your data is important. And it is, isn't it?

1. They Don't Restrict Access Enough

Yes, it's far more work to define access levels, departmental groups, roles, and apply security access controls to resources everywhere. And when users change roles, departments or locations their group memberships must be changed. But if these security steps are taken, whole categories of problems can be eliminated. Otherwise one disgruntled employee or hacker can cause much larger problems.

Playing fast and loose with business security is all too common for business clients in my experience. Rationalizations and risk taking based on inaccurate assumptions abound. Don't let your business be the next news story about an information security incident. Yes, these changes take time, effort, and money. How much is your business worth?