However, these two items are only symptoms of a much larger issue: bad proper security policies. The decision to weaken security in a business environment is fairly common and is most commonly rooted in to offices of the CFO (Chief Financial Officer). This is the guy that has the unenviable job of making sure that the company does not go broke while trying to keep the doors open and the lights on. It is often this office that tells IT and Security that they will need to make do with what they have to avoid spending too much money. The gauge this based on potential risk vs the cost of the fix and it is nowhere near a good measure of the need to apply the right solutions.
The other side of the coin is user complaints. If you have ever worked in IT then you know the more you try to protect people, the more they complain. In one instance I was told, in no uncertain terms, that the requirement for an 8 character, complex password that expired every 30 days was outrageous. I was asked to remove the expiration and allow 4 character passwords with no complexity requirements (yes this really happened). When this kind of comment comes from a C-Level Executive it can be challenging to respond properly and ensure the right security is in place.
However, even the dreaded user complaint is not the worst factor in bad security policies. This title goes to vendor access. In the world of IT security, nothing is more problematic than making sure your vendors are following your security policies when supporting your company. Pulling another example from my past I had a vendor outright refuse to sign a remote access agreement because it “was too much work” to make sure his staff was following it. I have also had companies turn the agreement over to their lawyers and try to remove sections of the agreement to “reduce liability”. This challenge can become almost insurmountable because of the need for support on products you might be using.
In many of the breaches and current attacks the root cause can be tracked back to systems (POS in the recent attacks) that are not secure because of vendor policies and software requirements; demanding direct access to POS terminals and servers from outside of a network, the use of generic accounts with weak passwords, using horribly weak passwords for service accounts (including the SA account in SQL). All of these contribute to the current culture of bad security policies.
Even the threat of malware is wrapped up in these items. Both users and vendors complain that malware protection services slow things down, you have to exclude directories to ensure that applications function on end user systems or completely on servers. There are far too many applications that require admin level privileges (including backup systems) on servers and desktops. This leaves entire companies open to attack by drive-by malware. It can be terrifying to see just how open the average environment is and then to come up against the wall of resistance when you suggest the required changes.
The culture that pushes bad security policies is one that needs to change at every level. Users (regardless of their level in the company) need to understand that there is a tradeoff of convenience when it comes to ensuring that the companies they work for are more secure against attack. They are only being asked to do the things they would want a company they (or their moms) do business with. This is the thinking that needs to be pushed out: Would you want to do business with a company with a lax security policy when it comes to your money or personal data? If the answer is no, then work through the bumps, they will become easier down the road once it becomes habit. If the answer is yes; well we have a bigger problem...
Tell us what you think in our Forum