10 data security myths

The information security consultant is often more of an educator than a contractor. Perhaps it is fortunate that most people don't think like hackers, but that is often precisely what is required to anticipate all that can go wrong.

Recent high-profile breaches have helped to raise security awareness -- however, many business owners continue to believe they are secure, when in fact they are not. While entrepreneurs and executives should not be expected to have a complete understanding of the risks, they at least should be careful not to fall victim to the myriad of myths surrounding data security.

Myth 1: Product X will keep your system safe.

Don't let marketing hype lull you into a false sense of safety. Security is a process, not a product. The number and variety of attacks from both inside and outside the corporate network are too great for any one product to offer adequate defense. Antivirus software, anti-spyware applications, personal firewalls, and network devices all provide valuable services, but they are only pieces of a more comprehensive defense strategy.

Myth 2: A firewall guarantees network security.

Many types of firewalls exist, and none of them offer a complete solution. By its very nature, a firewall must allow some network traffic through, otherwise e-mail, web browsing, and other permitted activities would not be possible. Although a properly configured firewall will eliminate many avenues of attack, many others remain. A firewall will not prevent a phishing attack or prevent an employee from opening a Trojan horse e-mail attachment.

Myth 3: Passwords adequately protect sensitive data.

On the contrary -- passwords are one of the weakest authentication mechanisms. Authentication is the process of confirming who you say you are, and it is usually coupled with specific access control rules. Select a password that is difficult to crack. Try a combination of upper- and lower-case letters, numbers, and special characters.

Myth 4: Hackers wouldn't find anything worth stealing.

Even if this were true, theft is not the only objective of potential attackers. Millions of PCs around the world have been compromised and are used to attack remote networks or conduct other illegal activities. Remotely-controlled "zombie" machines may be used to attack corporate Web sites, relay spam, and collect information for identity thieves. Perhaps an attacker would not be able to access your accounts, but your machine could become part of a criminal conspiracy, for which you could be held liable.

Myth 5: A security hole is OK if no one knows about it.

In the data protection field, this is called "security through obscurity," and it is really no security at all. Attackers use tools that can discover and exploit practically any vulnerability in a system. Just because you have hidden a site administration login page doesn't mean it can't be found. If the login password is weak and can be obtained through a dictionary or brute-force attack, your site may very well be defaced or used as a spam relay. It's never as obscure as you might think.

Myth 6: Passwords should never be written down.

In general, this is good advice. A walkthrough of any large corporation will usually result in a shocking number of passwords written on sticky notes or pasted on the bottom of keyboards. However, as with any bit of advice, there are exceptions. As mentioned above, strong passwords are the best defense against attacks. A sufficiently strong password may be difficult to remember, so writing it down may not be that bad -- as long as the reminder note is kept in a protected place, such as a wallet.

Myth 7: Attack countermeasures are too expensive.

Some countermeasures are expensive. That cannot be denied. However, you have to ask what the cost may be if the data is compromised. If confidential customer information is leaked, you may face civil and criminal liability as well as a loss of reputation. In general, the solutions implemented must support the business objectives of the organization. If the potential loss is less than the cost of a countermeasure, then that must be considered. Just make sure that the long-term effects are taken into account.

Myth 8: Ordering online is dangerous.

It's amazing that some people refuse to place an order through an encrypted ordering system, yet they will pick up a cordless phone and place that same order. As with any mail-order purchase, it all comes down to trust in the merchant. A trustworthy online vendor will have the proper encryption in place to prevent third-party interception. If you have any doubts, research the seller, then make sure that the ordering system is encrypted through SSL or TLS.

Myth 9: Employees should be trusted.

Many business owners believe that their employees would never expose the company to risk. Although this is an admirable belief, it relies on the premise that employees are aware of the implication of their actions. Unfortunately, many employees will set up their own wireless access points, use peer-to-peer networks, or transfer sensitive files by e-mail without knowing the risks. Employers need to establish acceptable use policies and conduct awareness training programs to prevent attackers from exploiting employee na?vet?.

Myth 10: Employees can't be trusted.

At the opposite extreme, many employers treat their employees as if they are industrial spies. Security doesn't require paranoia — it requires awareness. If employees are properly trained on the risks of unrestricted access and are given guidelines for acceptable use, they are likely to conform to expectations. Remember that no one likes rules that appear to be arbitrary. Educate employees and they will become your first line of defense.

While no one product or piece of advice can ensure data security, a heavy dose of awareness combined with common sense and skepticism can improve the security posture of every organization. Just make sure that the effort supports business objectives and is based on a realistic assessment of the risks.

Monte Kendrick is the president of and principal consultant for Pixelogiq Data Systems LLC, a Madison-based company that offers information security and technology consulting services.