We’ve all heard the stories of major data breaches caused by malicious outsiders and disgruntled employees looking for revenge. We also know that many malicious attacks are driven by insiders. But, there is a much more sinister force at work…a complete and total lack of common sense. That’s right, many of the security and data breaches IT staffers combat daily are caused by people (IT included) who don’t think about what they’re doing.
Over the years, I’ve heard countless stories of companies keeping passwords on a spreadsheet to share with the entire IT staff, with no accountability; people leaving computers open and unattended in public areas or writing their passwords on post-its for anyone to see. I once even heard of someone with high-level government clearance leaving his laptop open in a public parking lot. Although these actions may seem inconsequential, they can all lead to major security breaches that can cost millions in dollars spent and reputation/brand loss.
I’ve been in the security software industry for many years. My company focuses on privileged identity management. So it kills me every time I get a call from a potential customer telling me that they suffered a breach because of a lack of common sense and need our help to get things back under control.
I often ask myself, why are people not using the common sense they were born with? I think it’s because they’re busy. They let “minor” security infractions go to the way side because they are not being held accountable or because it’s easier than doing things right.
Someone did not use the common sense to change a default password.
Someone left invaluable corporate information open on a desktop while they made a Starbucks run.
Now their company could face serious consequences.
Implement a Security Policy
It is vitally important, regardless of how big or small a company is to have security policies and procedures in place to hold employees accountable for their actions (or in many cases lack thereof). Executives at every level should know these policies and know what questions they should be asking. Moreover, privileged account passwords should not be shared, nor should one IT person have total access to your network. Put the policies in place to enforce security provisioning. Put the processes in place to require frequent changes to passwords across the organization. And, most importantly, enforce the rules and regulations with consequences.
Don’t be one of those organizations who calls after an incident has happened. At that point it may already be too late. Use your common sense, be proactive and be prepared.
You can follow us on Twitter.