Technologies and processes often provide organizations with a false sense of security. The company goes through the motions of deploying a security tool or following an oversight procedure, but the benefit to the security posture might be negligible. Here’s my list of 10 information security mistakes that lead to this situation:
- The organization captures event logs, but the auditing level lacks the details needed to identify security incidents or investigate intrusions.
- The organization has an information security policy that no one actually follows.
- The organization performs vulnerability scans, but does not have a consistent process for addressing the discovered security issues.
- The organization conducts a penetration test without including employees' workstations in the project's scope.
- The organization tightly controls traffic from the Internet without restricting and monitoring outbound network activities.
- The organization relies solely on anti-virus software to address malware threats.
- The organization encrypts password stored in the database, but uses a weak encryption algorithm.
- The organization deploys a data security tool without customizing and tuning its configuration.
- The organization hires an information security officer without empowering the person to critique IT decisions or to affect change.
- The organization assumes its data is secure because it recently passed a compliance audit.
It's unfortunate when organizations implement controls that provide a false sense of security. Sometimes they do this because they don't know better. Sometimes they do this and try to pretend that they don't know better.
For more thoughts on where an infosec program can go wrong, see my cheat sheet How to Suck at Information Security.
Updated February 2, 2016