10 Information Security Mistakes: A False Sense of Security

Technologies and processes often provide organizations with a false sense of security. The company goes through the motions of deploying a security tool or following an oversight procedure, but the benefit to the security posture might be negligible. Here’s my list of 10 information security mistakes that lead to this situation:

  • The organization captures event logs, but the auditing level lacks the details needed to identify security incidents or investigate intrusions.
  • The organization has an information security policy that no one actually follows.
  • The organization performs vulnerability scans, but does not have a consistent process for addressing the discovered security issues.
  • The organization conducts a penetration test without including employees’ workstations in the project’s scope.
  • The organization tightly controls traffic from the Internet without restricting and monitoring outbound network activities.
  • The organization relies solely on anti-virus software to address malware threats.
  • The organization encrypts password stored in the database, but uses a weak encryption algorithm.
  • The organization deploys a data security tool without customizing and tuning its configuration.
  • The organization hires an information security officer without empowering the person to critique IT decisions or to affect change.
  • The organization assumes its data is secure because it recently passed a compliance audit.

It’s unfortunate when organizations implement controls that provide a false sense of security. Sometimes they do this because they don’t know better. Sometimes they do this and try to pretend that they don’t know better.

For more thoughts on where an infosec program can go wrong, see my cheat sheet How to Suck at Information Security.


About the Author

Lenny Zeltser is a seasoned business and tech leader with extensive cybersecurity experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. Beforehand, he was responsible for security product management at NCR Corp. Lenny also trains incident response and digital forensics professionals at SANS Institute. An engaging presenter, he speaks at industry events, writes articles and has co-authored books. Lenny has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more