12 bad enterprise security habits to break

12 bad enterprise security habits to break

Taking shortcuts on security can compromise the enterprise. Break these bad practices before they become big problems in 2018

631 readers like this
CVE explained

7. Reviewing security at the end of the app dev process

Amir Jerbi, co-founder and CTO, Aqua Security"Application security is one area that is not only rife with bad habits, but it was built around a deeply flawed mindset about security – mainly, that it didn’t really matter. This resulted in a huge process flaw: security and risk reviews came at the end of the application development/delivery process as a final check before moving into production. This created a dynamic where security teams found serious structural flaws and vulnerabilities in applications that were identified way too late in the game to properly deal with, leaving security teams little choice but to bolt on some sort of fix or workaround.  

"Cybersecurity is now a business imperative, but CIOs need to be clear on how to operationalize that imperative."

Thanks to years of increasingly mind-blowing mega breaches dominating the headlines, cybersecurity is now a business imperative, but CIOs need to be clear on how to operationalize that imperative. Thankfully, a confluence of factors, such as the rise of DevOps as a cultural and organizational change agent and the enterprise readiness of software containers for app dev, has led to a proven model, called DevSecOps, that can be implemented to left shift application security so that it is baked into and throughout the app dev process.

DevSecOps teams are accountable to architect the appropriate security policies and controls for DevOps teams to embed into the application development lifecycle. We have already seen this model work, but for it to go mainstream in 2018, it needs ongoing attention and oversight from the CIO and other key stakeholders."

[ See our related article: Why DevSecOps matters to IT leaders. ]

8. Just saying "no"

Mike Bursell, chief security architect, Red Hat: "Security folks within enterprises have a reputation, and it's not always a good one. In fact, it's fair to say that they're often unpopular. This is often down to a single reason: they are known for saying 'no.'  'No, you can't deploy that application;' 'No, you can't use the public cloud;' 'No, you can't install that on your laptop.' This isn't entirely their fault: security is (still!) only an afterthought for many projects, and without earlier involvement, it's difficult to bring things back on track from a security point of view. But we also need to frame our responses in terms that are relevant to our audience: 'I'd recommend not deploying in the current configuration, as there's a risk of customer credit card data loss,' or 'What would happen if a hacker got onto this API and misused it to their own ends?'"

9. Turning a blind eye to shadow IT

Tom DeSot, EVP and CIO, Digital Defense: “Allowing the existence of shadow IT within the workplace is one of the sneakiest bad habits that we see in organizations today. As an example, when IT departments cannot fulfill user requests for cloud storage or something similar, users take it upon themselves to set up accounts in cloud storage services (e.g. Dropbox, Box, Egnyte, etc.), and then IT cannot manage or gain access when needed. These same cloud services may be used to serve up sensitive or confidential corporate information by the employee. All too often, we see IT departments turn a blind eye to the use of these services because they fulfill a need that the organization's IT department cannot. This then leads to multiple employees having multiple cloud accounts all doing the same thing. And all of them are placing the organization at risk.

Just as bad is the use of shadow wireless within the enterprise. Many IT departments, as a matter of policy, do not allow the use of wireless within the enterprise. To get around this, employees will bring in their own wireless routers and connect them to the corporate network thereby setting up a rogue wireless network. It's usually too late once the IT department finds out about the access point. Poorly configured, it can allow attackers to gain access to corporate resources that otherwise would have been protected from compromise.

"...more and more companies mix in humor, which breaks up what could otherwise be a rather monotonous topic."

The easiest and most cost-effective way to replace these bad habits is with the implementation of an ongoing, recurring information security training program that covers a multitude of topics. The topics need to be relevant and need to be more than someone standing up in front of the room with a PowerPoint deck. The topics should also be tied to something that is memorable and easy to understand, and something that sticks with the employee. To that end, we are seeing more and more companies mix in humor, which breaks up what could otherwise be a rather monotonous topic and makes it something that the employee is sure to remember long-term and help contribute to a culture of security.”

10. Forgetting the end-user

Frederik Mennes, senior manager, market and security strategy for the Security Competence Center, Vasco Data Security: “Examples of bad enterprise security practices include implementing enterprise security controls merely because they are suggested in general security standards, without taking into account the actual risk that the enterprise faces or the effectiveness of the security control. For example, many enterprises deploy anti-malware products because it is considered good practice but forget that this anti-malware technology is not effective anymore at catching the latest malware variants.

Another bad habit is implementing security controls without considering the end-user usability. For instance, enterprises often deploy encryption tools (e.g. PGP) without educating the employees about how to use it, which might result in ineffective use of the tool. Enterprises should be aware of the value that security controls can bring and know their strengths and limitations. Investing in supporting the user during deployment of the control will ensure long-term adoption by users.”

11. Adding weak links via the Internet of Things

Gregg Ross, systems engineer, North America, Paessler: “Right now the least secure connected devices are those associated with the Internet of Things. The amount of security incorporated into many of these devices is minimal and, all too often, the credentials are not changed after installation. In many cases, they are publicly available on the internet. Not surprisingly, they, therefore, present intruders with the easiest entry point into otherwise robust and secure networks. Unfortunately, this challenging reality will only increase in importance as the number of connected devices increases. The important thing to remember is that your network is only as strong as its weakest point.” 

12. Poor password hygiene 

Carl Herberger, vice president of security, Radware: “Poor password hygiene is a common and challenging problem for IT and security leaders to overcome. Not only must IT professionals ensure they themselves have strong, secure password hygiene, they also need to make sure their entire organization does as well. However, no one can ensure lessons on password hygiene will stick with every employee, and even a strong password does not ensure complete security.

To improve the security posture of an organization, IT teams should require multi-factor authentication. When employees need to authenticate their identity in multiple ways, it creates complex barriers to illegitimate logins. Overall, good password and authentication practices can keep hackers from finding out more about an individual. Even if the account looks like it doesn’t contain sensitive information, like a social media account, every data point counts for a hacker. From a social media account login, an attacker could find out a user’s cell phone number and use IP login history to learn more about the user’s location. To prevent attackers from gaining unauthorized access, employees should practice secure password hygiene across all accounts, including within the company.”

Want more wisdom like this, IT leaders? Sign up for our weekly email newsletter.


7 New CIO Rules of Road

CIOs: We welcome you to join the conversation

Related Topics

Submitted By Koren Townsend
September 29, 2020

We all develop trust in people differently. Are you taking enough action as a leader to build trust with your team?

Submitted By Matt Kunkel
September 29, 2020

The COVID -19 pandemic has been a painful lesson for businesses without a strong business continuity plan. Consider these tips to ensure that your plan is up to date

Submitted By Donna Tuths
September 28, 2020

In response to the COVID-19 pandemic, CIOs and other C-suite leaders must transform how they think about “experience” – for both customers and employees – or risk losing them.


Email Capture

Keep up with the latest thoughts, strategies, and insights from CIOs & IT leaders.