It would seem that security people tend to gravitate to the sophisticated attacks; attacks that use clever technology, exploit some esoteric feature that was designed for ease of use but can now be used against the user…but more often than not, people are losing on the easy things.
More than half of the lost data reported by SC Magazine over the past year seems to be on portable media. Media that could have been encrypted, but just isn’t – like an iPhone that stores as much data as many small computers. Then there’s security settings in Facebook that lead to leaked information, while also opening doors to web-threats as knowledge workers inadvertently download malware along with apps built for their social media habits. Backups that run nightly, but never get tested, or as we saw in a recent assessment, a server backing up to itself (almost funny isn’t it?).
The list goes on: Wireless networks that are open, people gmailing data to their home computers (sensitive data) in cleartext, only to find that their kids have that system connected to all kinds of stuff through peer-to-peer networks. Emailing confidential information at work without encryption, no controls to stop data leakage or access to websites that may be infected with spyware…most of these things are easy to spot, it’s just that business people are out doing business, and don’t take the time to lock down systems that are by design, open and easy to use – thus easy to corrupt.
All of this leads to a simple yet compelling relationship between the business owner and the IT consulting firm. The owner must be able to focus on his business, the business probably can’t afford to hire people who really understand security (unless they are larger organizations), and the need for a more serious detection based security strategy continues to mount. It’s a win-win arrangement between you, the provider, and just about every business out there. The key to moving forward is having a strong education program to help business leaders understand the issue, then following that up with a simple but effective assessment process, with a solid offering to address the most common urgent issues.
Thanks to Zenith Infotech for sponsoring a large part of today’s executive briefing in Richmond!
© 2011, David Stelzl