Where's the Basic Security Blocking and Tackling?By Samuel Greengard | Posted 2016-07-18 Email Print
Many organizations aren't addressing fundamental security requirements. Device encryption and end-to-end encryption aren't options. They're the main play.
Every day we read news reports about cyber-security breaches and breakdowns. And while many of these stories focus on sophisticated and increasingly nefarious methods used to hack and crack data, the fact is that most security breaches are a result of ridiculously simple tactics—and near total mindlessness on the part of the target.
Case in point: The NFL's Washington Redskins. On June 1, the NFL issued a press release noting that "confidential player data was put at risk for compromise after a laptop computer belonging to a Redskins athletic trainer was stolen in April."
Although the laptop, which was left sitting in a car, was password-protected, the data residing on the machine was unencrypted. According to a news story at Deadspin.com, the breach potentially represents "a costly violation of medical privacy laws."
The upshot? "What happened to the Washington Redskins was a total fumble on computer security," said Ebba Blitz, CEO of Alertsec, an encryption-as-a-service company. "While we should be surprised that the laptop was not encrypted, our research shows most companies do not ensure their laptops are encrypted until a breach like this takes place."
Unfortunately, passwords often create a false sense of security. A recent study conducted by Alertsec found that while the vast majority of executives fear a data breach (the figure stands at a whopping 87 percent), and an even higher percentage (90 percent) say work computers should always be encrypted, there's a profound disconnect between words are actions.
For example, 68 percent of the executives surveyed believe auto-saved passwords are not secure. Nearly half (48 percent) of these executives believe that never logging out of user profiles decreases security. This, of course, completely ignores the value of encryption.
In addition, 23 percent of SMB executives surveyed believe lockdown (when the functionality of the system is restricted) is not secure, while 16 percent believe that lockups (when multiple password attempts failed, causing restrictions) are also insecure.
Today, as the Redskins learned painfully, cyber-security is about basic blocking and tackling.
Sophisticated security mechanisms are no good if an organization can't handle the basics.
Recent ransomware attacks further prove the point that many organizations aren't addressing fundamental requirements. Device encryption and end-to-end encryption aren't options. They're the main play.