7 Common Information Security Mistakes to Avoid
Here are seven all-too-common information security risks to avoid:
1. Failing to back up often enough - While the risk of not backing up regularly seems obvious, most businesses and individuals still do not back up often enough. Not only do computers eventually fail, but ransomware that encrypts data is a growing problem. Be prepared.
2. Failing to encrypt sensitive data - Every time I think that society is finally coming close to understanding and appreciating the need for encryption, I hear of some laptop stolen with sensitive information on it that was not encrypted. Encrypt sensitive data. And if you are not sure something is sensitive and requires encryption, choose to encrypt.
3. Failing to educate employees or children about the importance of information security and about relevant risks – It is hard, if not impossible, for people to avoid risky behavior if they don’t know right from wrong. Education and training are a must. Many breaches begin with oversharing on social media and resulting spear phishing attacks – so train people accordingly. To learn more about combating phishing, check out this article: Why All Businesses Are At Risk Of Phishing Attacks.
4. Using weak “security questions” to authenticate people - We have all been asked to provide the last four digits our Social Security Numbers, our mothers' maiden names, the color of our first car, or other answers as a method for proving that we are who we claim to be. Let me be blunt: If you are using this type of approach for authenticating people you should immediately work on transitioning to a better method of confirming identities.
The answers to the aforementioned types of questions can often be found in under a minute by unauthorized parties; the data may have leaked in recent breaches, been shared with the public on social media, or be easily found in searchable public records. Even when such data is not immediately obtainable, criminals can usually obtain it pretty easily through social engineering.
Also, keep in mind that the answer to any “security question” is simply a password for which the party posing the question has narrowed down the password range to a small number of choices and provided a hint to the person being asked. How many hits do you think I would get if I simply guessed “red” as the answer to the question “What was the color of your first car?”
5. Underestimating the level of security expertise needed – I have seen countless situations in which managers – even technical managers – did not fully grasp the magnitude of the need for security experience and expertise.
Sometimes it’s a matter of allowing a generalist to do work that requires a specialist, sometimes it is ignoring the need for security altogether. It is scary how many software development projects, for example, do not involve security professionals from the get go – a mistake that can lead to serious security risks down the line. Furthermore, not all security professionals have the same levels of knowledge; formal certifications can be valuable in addressing this risk by providing some level of assurance of minimum competency levels.
6. Requiring overly complex passwords - We have all heard the advice that in order to protect our information and online accounts we should create and use "complex" passwords that include a mix of upper case and lower case letters, numbers, and special characters. Many businesses have taken this advice to heart and now require that passwords to their systems be quite complicated.
Often, however, creating or requiring complex passwords worsen security due to human limitations: complex passwords are more likely to be written down than weaker passwords or than even stronger, but less complex, passwords. Furthermore, many complex passwords are not as random as people might suppose; humans have a tendency to model complex passwords after certain patters – and hacking tools already exploit that weakness.
For more on this topic please see this article: Why Your Complex Passwords Might Not Be As Secure As You Think. To learn how to create better, strong passwords please see: How To Create Strong Passwords That You Can Easily Remember.
7. Failing to properly plan – You cannot properly decide what security technology to purchase and deploy, or what services to acquire, or what policies to create and enforce, or what skillsets you need within your team, without first doing a risk assessment. Many smaller businesses don’t invest in one (or do so only once) – being penny wise can later prove to be pound foolish.
For more on this topic please see this article: Are You Spending Your Money On The Wrong Information Security Technology?
Loved the article? Can’t wait to take on the world of Information Security? Get a professional certification to position yourself at the front of the pack – and we’ve got special rates for our readers!
About the On-Demand Webinar
About the Webinar