This may just be old news to you, nothing special but it is so important that I need to talk about it. So for those people who ask themselves this question of Why is Security so darn important we can give them an answer.
Security is super important because of all the problems that can occur if you don’t take security seriously. We would love to live in a world where everyone did the right thing, everyone was nice, no one was mean or malicious. Sadly that is not the world we live in so we need to take security seriously to protect ourselves from those bad malicious people who want to steal our identity, our money, our information, or just do us harm in some way.
When you think of security, not in an IT role, you think locks, keys, doors, fences, and guards. Those are all important aspects of security including IT security but most people don’t think of IT security in the way they should because it is a little more complicated than physical security. Physical Security is one very small but important part of IT security as a whole. The other thing about its security changes so much. It is constantly moving and evolving and the bad people are constantly coming up with new ways to take your money, your intellectual property. So staying up to date with security is a very important aspect for any IT professional because they need to understand what they are up against. Knowing what you are up against will allow you to better protect yourself and your company.
I think it is very important for an IT professional to stay up to date on security information. This includes blogs, magazines, websites. Anything you can do to stay up to date with security is a great thing to do. There are a lot of sites out there that really help keep this information in the forefront. They will provide you a lot of information to help keep you and your company secure.
Identity Theft and Brand Disruption
A couple of things we run into with security is identity theft. This has been a huge problem for years and with everything being online now it makes it easier for someone to steal your personal information and then use that. They can open a bank account without ever having to walk into a bank. They can take out a credit card all completely online and never have to go anywhere with your information. I am sure some of you reading have been a victim of identity theft or know someone who has been a victim of identity theft. Since identity theft is really more along the personal side of things we as informed people need to be aware of identity theft and help teach those who are not aware of it. We need to know where we are vulnerable and protect ourselves better. There are many ways to protect ourselves but each one can be a post all on its own. So I won’t go into them all here.
If we think from a company perspective now we have our brand that we have to watch out for. Your brand is very important to you and how people recognize and associate your business. It really is the trust that your customers have with you. If you are ever involved in a breach or some sort of scandal that looks really bad for your brand and that brand trust customers have can be broken.
Think of some of the breaches that have happened in the last 10 years. Target (twice), NewEgg, Facebook, Panera, Quora, Under Armour, and the list goes on. Think of these company and what your perspective is of them after learning that they had 10s of thousands of records with customers personal information stolen. In a few cases, they were 100s of thousands of customer records which sometimes included credit card numbers. What is your new perspective of that company? Do you plan to purchase from them again? Many larger companies such as Target can come back from incidents like these. They have a dedicated marketing and PR team to help re-establish their brand. Can a smaller company that has 100 or 200 employees bounce back from that type of negative publicity? Many small companies cannot come back from that and will go out of business months after a breach. So security can really make or break a business, especially break a business.
Espionage
Espionage is certainly another part of this to think about. I say espionage and you probably think of James Bond and spies running around shooting and stealing information. But corporate espionage is a real thing and the point is to affect a company’s brand by hurting it in some way or to steal their proprietary information. Most corporate espionage starts from the inside of the target company with planted employees. Espionage cases where someone was hacking in from the outside do certainly exist but the more common ones happen from the inside. Another one of the many reasons why we need to keep in mind and understand why Security is so important.
In this section, I am going to go over some things that you can do to help keep yourself and your business safe. I am not going to go into any great detail but I will talk about a few things that will certainly help.
Rethink Password Policies
One of the first things you should take a look at in your environment is the password policy. From a young age most people, me especially, that it have been beating into us that we have to have good password policies that rotate passwords and use decently long passwords that contain letters numbers, spaces, and special characters. The idea is to make the password difficult to guess but also difficult to be determined by an automated process of cracking passwords. I wrote in a previous post about this, “Is My Password Secure Enough”, so check that out for some more details on passwords and password policies. The cliff notes version really is that we have drilled it into people to create these long hard to remember passwords that really have now become not as secure.
Newer software can use graphics processors to do a lot of the password cracking much faster than before. So your over-complicated password that is the minimum of 8 characters can now be cracked in just hours! So we need to start doing a fundamental shift to new password policies. We need to stop using those types of passwords because they are no longer as secure and they are just hard to remember. We need to now start using passphrases which is basically a sentence that is easy to remember. It doesn’t need to make sense when you say it but it is easy for you to remember. Passphrases are the new passwords you want to be using.
The second part to this is to make sure you don’t reuse those password. Everyone has multiple accounts that require a username and password so you want to have every account use a different password. Your email account, facebook account, and bank account should all have completely different passwords or different passphrases. Humans are not built to remember this type of information, I am sure there are some amazingly talented people out that who can but I am sure not one of them. So how do we keep track of all of these different passwords? We use password managers which are a great way to keep track of all of our passwords and accounts. All password managers also have built-in functions that can generate passwords for you. One of the ones I use is LastPass which is great because it has browser plugins that will auto-fill those details for you. It has a mobile app which works on Android and iPhone that you can utilize to access all of your passwords. Troy Hunt who is a well-known security professional said it best “The best password is one you can’t remember”.
Multi-Factor Authentication
Implementing Multi-Factor Authentication is another step we can do to help secure our selves and our company. I have another post on Multi-Factor Authentication that goes into much more detail, “Multi-Factor Authentication – What is it?”. But multi-factor authentication is using multiple factors to authenticate you other than just a password. The factors are something you know which is a password, something you are which is biometric so fingerprints and an iris scan, and something you have which can be a token, RSA key or other devices. Having any two of these be required to authenticate you would be considered Multi-Factor authentication.
Social Engineering
Another important aspect of security is social engineering and phishing. You should have a policy or campaign to test and teach your users about social engineering. Social Engineering is when someone tries to get someone else to do something for them by misleading them. One common example would be a call from an unknown person claiming to be IT and they ask for your password. Social Engineering is the broad umbrella and phishing is one thing under that umbrella. Having a campaign in place to teach and more importantly empower your users as to why security is so important.
Culture of Security
We have always been told to lock our doors on our house and car when we leave right? It is part of our culture our upbringing to perform these basic security measures. Well, we need to foster a new culture of security in the internet age. If we have users who use horrible password practices at home with their own email or bank account what motivation do they have to implement better password practices at their job.
What we really need to do is teach and empower our users to protect themselves at home. What types of password managers should they be using? What types of devices should they use for Multi-Factor? Better yet can we provide them with these tools at no cost to them to help make their home assets more secure? When we do this it becomes part of them, they understand the importance and change their habits to become more secure. Then they bring that into the workplace and you will be more secure.
Unfortunately, people are typically the weakest link when it comes to security and I am not trying to be mean or cruel but it honestly is the truth. The reason people are the weakest link is that unless they are a security professional security it isn’t their job. They are great at accounting to make sure the business stays viable, or sales to sell all of our products, or human resources to make sure our employees are taken care of. I hope you see where I am going with all of this. Most employees have their own job that they need to focus on and that is their specialty. We as IT professionals have to help everyone understand security and help them to implement it in their everyday lives. If our employees fail at security it is not their fault it is our fault as IT professionals. If employees fail at security then we didn’t teach or mentor them appropriately and we have to do a better job.
The Ultimate Balancing Act
The last thing I want to talk about is the fine balance between security and usability. You can make a company super secure, I would never say unhackable, but if you secure it at the cost of usability then you are actually hurting the business. Even security professionals have issues with this concept of balancing security with usability. We want to be as secure as possible but we have to look at the cost to our users. If we implement a security feature that causes a certain task to take three times as long to perform then we are actually affecting the business. As another exaggerated example we could sell products all day but never accept credit cards because it is too risky. This is an, as I said exaggerated example, but you can see where I am going with this. We would never have to worry about having credit card numbers compromised if we never accept credit cards. However, we will probably not survive as a business if we don’t accept credit cards. When you learn to make that balance between security and usability you will be an unstoppable Security Analyst or Security Engineer.
Many companies will have different ideas on what is important so that fine balance between security and usability will be different for each company. While one company like a financial institution may implement MFA for all of its employees while a retail store may think that MFA is too much of a hindrance for their employees walking the floor. So it comes down to a case by case basis and you have to look at it with an objective mind and always take into account the company.
I would love to know what you think so please comment below or find me on Facebook https://facebook.com/thesysadminschool. You can also find me on twitter @MikeWalton1984.
