January 09, 2003 — CSO — A computer password is tacked up casually on the cubicle wall. A door out back is wedged open during a quick cigarette break. A laptop is left carelessly behind in a taxi ride to the airport. And suddenly it doesn't matter how good your company's security system is. It has just succumbed to human failure.
"I can have all the gadgets in the world," says Chris Apgar, data security and HIPAA compliance officer for Providence Health Plans, "but if people don't understand the basics
And so it goes with corporate security. People get busy. Or distracted. Or careless. Or downright malicious. In fact, if there's one thing about which people in the security field readily agree, it's that weaknesses in user practices pose a bigger threat to an organization's security than any vulnerabilities in technology do.
"The best technology can always be circumvented by an employee," says Gary Morse, president of security consultancy Razorpoint Security Technologies. "You can have the best security policy in the universe, but people just get busy."
Without a doubt, the employee is often the weakest link in the security chain. "People think, It's just data; it's not really important," says Thomas Luce, former CSO of Rochester Health Care Information (RHI) Group and now an independent security consultant. "They don't understand the damage they could do, especially in health-care and financial services companies."
And so a solid recipe for a truly effective security strategy needs to include two parts common sense
"An organization's technology is only as strong as the people behind it," adds Roger Hughes, president of Data Security Auditors, an independent auditor. "Systems and processes are built by employees." Which makes it imperative that you work to change the thinking in your organization from "Nothing bad will happen here" to "If I share my password, this can happen," or "If I leave an area unsecured, that can happen."
The biggest challenge facing the security industry is knowing how to transform an organization's users from its biggest vulnerability into the first line of defense. The bad news is that it's not going to be easy. The good news is that it's not going to be impossible. Here are three steps to get started.Step One: Develop a Written Security Policy Although it may seem like a painfully obvious omission, the truth is that many companies have no real security policy. And of the policies that do make it onto paper, many go the way of screenplays written by struggling writers
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Maximizing Site Visitor Trust Using Extended Validation SSL
Now with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.
- The Latest Advancements in SSL Technology
- Maximizing Site Visitor Trust Using Extended Validation SSL
- How to Offer the Strongest SSL Encryption
- Solving Online Credit Fraud Using Device Reputation
- Forrester Reports 321% ROI Through Device-Based Fraud Management
- Enterprise Management Associates: Taking the Botnet Threat Seriously
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
