An individual using a single workstation, a small business with two or three PCs connected to the Net through a high-speed cable modem, the team responsible for the security of an enterprise network; Regardless of an organisation's size, they all face the same security challenges — keeping intruders away from their private information.
Unfortunately, people tasked with security keep making the same basic mistakes. Since it's once again been a relatively quiet week in the security world, I'm taking this opportunity to list the five worst security practices found in businesses both large and small.
1. Failing to enforce policies
Number one with a bullet is failing to properly set security policies, neglecting to train anyone with access to computers, and especially declining to enforce an established policy.
It's a truism that you get what you reward for and don't see as much of what you forbid. So if your organisation wants good security practices, it must establish a clearly enunciated set of policies. Among other things, these policies must define basic usage rules, such as never opening strange emails, surfing random sites on personal business, or downloading files from the Web.
But security experts have been saying this for years, so why isn't it working? That's simple: Even when there are policies in place, there are seldom any real consequences for breaking the rules — or any reward for those who don't.
There are a few organisations, including Harvard Medical School and Beth Israel Deaconess Medical Centre, where being responsible for a single security breach is grounds for termination for anyone at any level. However, this practice is extremely rare, and few organisations, if any, have established a point system tied to rewards for following good practices.
Consider the impact that a significant prize for the employee with the best security record could have on security. For example, everyone could start with 100 points, losing one point for every out-of-policy security mistake, even if it doesn't result in actual damage or loss.
Establishing security policies that are more than a stack of paper and providing employee incentives for such policies could go a long way to helping organisations improve security.
