As Woody Allen once said, “I'm not afraid of death; I just don't want to be there when it happens.” Sometimes I think the approach of the average board of directors is the same when it comes to investing in information security; they’re worried about being breached and just hope it doesn’t happen while they’re in the job. But naturally the question is whether investment is the only course of action.
Like my health, I can either cut down on bad cholesterol or I can spend money on medication that will supposedly do it for me, and allow me to continue my bad habits. But the sad reality is that medication is not going to keep me alive and healthy.
And the same applies in IT Security. Buying the latest technology is not going to save me if I am not carrying out basic health checks in my organization. Listen to those vendors who tell you that working alongside your team, they can help.
As an example when I talk with organizations that are concerned about APTs or Malware, their response seems to be to buy whatever is touted as the latest and greatest solution. It’s like an obese person drinking only diet beverages while still consuming too much food. Regardless of what technology they buy, the failure to carry out basic security checks means they are just as vulnerable. And like the obese person, they know what they need to do but it’s just too hard to do it.
How many IT departments control the passwords being used by administrators and yet fail to do the same for services, scheduled tasks, and other applications that use credentials? Organizations fret about their private keys being stolen and used in malware but then don’t enforce any security policy around the protection of keys. Organizations allow hundreds, and in some cases thousands, of employees to have privileged access to their PCs because it is easier than enforcing a policy that demands permission to install software. Yet how many organizations regularly check the registries of their workstations to see if anything has been added or modified?
The placebo effect
Today more often than not, security related projects usually start off with a failed audit – the equivalent of a sharp pain in the chest. This is usually as a result of bad habits that have developed over the years. You would think that the patient would rush to hospital to make sure everything is fine. Yes it is inconvenient, but surely you don’t want to take risks!
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.