9 Convenient Lies in Information Security

Organizations sometimes “stretch the truth” regarding their ability to safeguard data, protect systems or offer other assurances related to information security. The crux of the problem is that implementing security is hard, as is explaining the effectiveness and roles of various controls. So we’re often left with promises or recommendations that can, at best, be seen as having an optimistic perspective on security.

Here are some of the statements that might often be considered lies, half-truths or idealistic simplifications…

Your data is secure because:

  • We use bank-level 128-bit AES encryption. Encryption by itself is insufficient, as there are numerous other ways in which data can be put at risk.
  • We are compliant with applicable industry regulations. The compliance status demonstrates that a set of practices is being followed, but doesn’t address all necessary security measures.
  • We have a security seal to demonstrate that we passed a security scan. Such scans are often limited in the weaknesses that they examine, potentially leaving the organization vulnerable to numerous other attack vectors.

Protect yourself on-line by:

  • Not opening email attachments from suspicious senders. People often receive legitimate attachments from unknown senders, yet have no basis for determining what is suspicious.
  • Not clicking on links in email messages. People are often in the hurry or are multitasking, which makes it too tempting to click a link rather than attempting to re-type it.
  • Selecting a “strong” password. Opinions vary on what constitutes a “strong” password; also, by selecting one that’s hard to remember, people are more likely to reuse it across sites and applications, increasing the risk that one compromise might grant the attacker access to other resources.

Your data is safe with our employees because:

  • We conduct background checks. A “clean” record doesn’t guarantee that the person will exhibit ethical behavior in the future; also, many background checks are quite limited in their scope.
  • We provide mandatory security awareness training. Many training programs don’t affect employees’ security-related behavior; also, participating in the session doesn’t imply that the employee absorbed the material.
  • We have a security policy. Security policies seem to be rarely read and more rarely understood; also, the existence of security policies doesn’t imply that they are being followed.

When you see or hear the claims above, dig deeper to understand their meaning. When you hear security advice, ponder whether it is practical. If you are tempted to offer untruths to users or customers, make sure your statements are actually accurate and provide additional details where relevant and appropriate.

Hand-picked related items:

Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more