How to destroy your corporate security through bad policy design.

What are the biggest security risks at most corporations?

  • Internal servers that hold confidential data.
  • Passwords in the form of “password” or “123456”.
  • Data hosted on 3rd party servers (the cloud).
  • System connections that allow access to other systems.
  • Email.

What are some of the most common solutions to these problems?

  • Force users to change passwords every 90 days.
  • Auto-archive email older than 90 days (or some other time period).
  • Prohibit thumb drives or connections to external drives.
  • Block websites through a web filter to prevent users from getting to Dropbox, Google Drive, etc.

So what happens in response to each of these?

  • Users simplify their password so that they can remember it each time they change it.
  • Users forward their important emails to external addresses so that they don’t lose access to it.
  • Users start using their own computers for work to make their lives easier – no limits on what they are allowed to do.

By implementing these 4 common security enhancements you have just made your internal security weaker while not actually addressing any of the core security issues.  Most security policies address issues from the technical side and ignore the messy human components.  But humans are the messiest, riskiest part of the security equation.  

Don’t fool yourself into believing that firm policies equal good security because often it is the opposite of true.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s