Organisations should not rely on their staff to ensure their network is secured as employees are not infallible and one slip is all it takes for cybercriminals to launch a vicious attack.
"If you are an organisation that is relying on your employees to do the right thing with respect to security, you've already made a number of mistakes," said Scott Montgomery, global vice president for product management at Secure Computing.
Montgomery noted that end users are typically the "least educated" in proper corporate security practices and are "most prone to doing things" that do not adhere to the company's security policy.
He highlighted the four most damaging security habits that are commonplace among organisations around the world, and underscored the need for IT administrators to closely monitor these areas.
1. Fixed passwords
The Sans Institute, over the last decade, has identified passwords as one of the top 10 most damaging security practices, Montgomery said.
Unlike token-generated or one-time passwords, he noted that fixed passwords do not change and some users may even write them down to avoid forgetting the sequence. As such, fixed passwords are "dangerous" because any person who knows the right password can log into the network and cannot be identified as an imposter, he said.
"Everybody knows that fixed passwords are weak and a problem. It's been the same way for 10 to 15 years, but it doesn't change organisations from investing in it," Montgomery said.
In contrast, the use of one-time passwords has been found to "dramatically increase the security profile of organisations" because perpetrators are not able to compromise users' credentials, he said.
VIDEO
Dialogue Box 7.4: The expanding digital universe
How much data will be created and stored in 50 years' time? Rupert and Charles make some extrapolations and come to a startling conclusion
"Even the use of a one-time password on an application-by-application basis dramatically increases your security profile because you can't do… password guessing," Montgomery said. He added that the use of a hardware token for one-time password deployment — whether it is time-based or event-based — is a good way to prevent systems from being compromised.
2. Neglecting inbound threats from email, the web and instant messaging
When end-users receive a spam message in their email inbox, their administrators have already "lost the battle", Montgomery said. "At that point, you're expecting the users to do the right thing, [but] they won't... They don't have any perception of the greater risk of their activities." He noted that email, webmail and instant messaging are among the high-risk areas and IT administrators need to ensure data received via these platforms is safe and protected.
3. Forgetting that data traffic is two-way
When keeping the organisation's network secure, IT administrators should keep in mind that data traffic is bidirectional and consider the possibilities of outbound data leakage.
Montgomery noted that organisations often forget that their traffic is bidirectional and many have spent the last few years protecting only the data that enters their networks. "Organisations have been very slow to look at what's leaving their network, in terms of data leakage, due to malicious and criminal intent or simply [as the result of employee] mistakes," he said.
4. Not encrypting data
Without encryption, data sent and received via email is literally "like putting an ad out in the paper" for anyone in the public to view, said Montgomery. He added that some users wrongly assume the data they send is private and cannot be seen by the public.
"People who want to read your email will have to look for it to find it, but they can find it if they want to," he said.
"There is a level of protection only if people use encryption in their email, [but] most people don't," Montgomery said.
Talkback
The biggest (and implied) "sin" is PEOPLE! Without people using the networks, sending and receiving emails and forgetting their passwords, the risks would be minimal. Meanwhile, back in the real world...
One comment I would make is that people tend to remain ignorant of the risks, no matter how strongly they are spelled out. It is almost a "head in the sand" problem for system administrators. Whilst the risks are great, on an individual basis, they appear low. If security is tightened up, users tend to react vocally and negatively. Security is seen as being at odds with getting their jobs done.