Security: Back to Basics Loose Lips Sink Ships Lyne Bourque
Vanishing data, ID theft, phishing, pharming, spyware... In the face of all this, securing your business seems like a daunting task. But with a little attention to the basics, bigger threats become less of a concern.
"Ouch" has become one of the most used words in my vocabulary of late. This is largely due to the fact that I forget to perform an exceedingly simple task when bicycling to and from work: slather on some sunscreen.
Many times, it's these smaller, basic details that wind up overshadowed by the larger worries (for me, it's large 18-wheeler trucks mowing me down during my commute). Recently in the security field, we've seen some companies forget some of the basics of security in the face of looming threats.
When we get down to it, it becomes a simple issue of CIA. No, not the spy agency, but instead: Confidentiality, Integrity, and Availability. Those are the areas that should leap to the forefront when creating a culture of security in your organization.
Loose Lips
The best encryption scheme will not ensure 100% confidentiality. Keep in mind that the biggest challenge to confidentiality isn't what resides on the wire but rather between the ears, and by extension, the mouth. The adage "loose lips sink ships" still rings true, particularly in the information age as data thieves are just as likely to sweet-talk their way into a network as they are to hack into it.
And crypto will only go so far. It'll be useless when dealing with the blogs that employees post on. So what can companies do to discourage employees from talking? Create a security policy.
Does anyone actually perform training with the employee to show them why this is important? Social engineering courses, perhaps? The deafening racket of all those pins dropping suggests that the time has come.
Few companies address this and provide adequate training on how seemingly innocuous verbal information can burn a company. The lesson, you never know who's listening.
I've seen one instance where this was effectively done. Employees were given little triangular cards to put on top of their monitors. It reminded employees, in a fun way, to be careful of what was said, to ensure that their desk was clean (are you sure that the evening cleaning crew is, in fact, the evening cleaning crew?), that white boards were clean, systems were locked/logged out/off, and office doors locked. These simple activities are generally overlooked when it comes to dealing with confidentiality.
Deny Access
Sadly, even the technological aspect of confidentiality is being ignored. Recent events where the backup tapes for financial firms were lost en route to remote storage facilities highlight this fact. Regardless of the method of transportation, we need to ensure a layered security concept. So it would make logical and common sense to encrypt the data. But as we are continually reminded, common sense isn't as common as we'd like.
To be fair, companies can run into hiccups when encrypting huge amounts of data. As I was preparing this article I ran across the Institute for Backup Trauma. Humor aside, this highlights a viable and secure option for many companies — from the smallest to the largest — whereby data is stored off-site via a remote pipeline, encrypted on route, and physically backed up. I'd have to say that in regards to backup, one of the long-standing redundancy methods, this particular method might be the way to go as hard drives get bigger and data becomes even more critical than before.
This particular form of backup should help maintain the integrity of the actual data during storage. But what about integrity of data within the company before storage? Often we use methods of authentication and access to ensure that those using the data are supposed to be using it and that they are supposed to be accessing that particular piece of data.
