IT security throws up constant new challenges, so you can't afford to waste time dealing with non-issues. Here are five security myths that you need to ignore.
Unicorn picture from Shutterstock
This list is drawn from a longer presentation given by Gartner analyst Jay Heiser at the Gartner Security & Risk Management Summit in Sydney earlier this week. None should be surprising, but all pop up with disturbing regularity in workplace environments large and small.
Myth#1: It won't happen to me
This mindset is surprisingly common, both with individuals who delude themselves they know their systems so well that no security risk could ever eventuate, and with businesses that believe they aren't a worthy target. "It really comes down to wanting to avoid any responsibility or cost," Heiser commented.
With that said, an equally big problem is overestimating the likelihood of issues. "Our risk perspective is often not rational," Heiser said. "It's our job to do the best possible we can for our employers, and in the infosec realm, that requires us to be brutally honest about the degree of risk confronting our organisations."
Myth#2: Security accounts for 10 per cent of IT budgets
This figure is sometimes thrown around by managers annoyed with the overall cost of IT, but it's not based in fact. "That's very, very rare," Hesiser said. "Maybe at a bank undergoing a drastic upgrade." In a large organisation, 5 per cent is more typical, and it can be as low as 1 per cent
Myth#3: You can assign a monetary value to security policy
Spreadsheets are the prime tool through which many organisations run, and the request to quantify the business value associated with a security program is a common one. Unfortunately, that makes about as much sense as asking for an ROI on an insurance policy. The value only becomes apparent when you need it.
"We live in a culture of quantification and it becomes a buck-passing mechanism," Heiser said of this tendency. "It's a face-saving way to send you off on a task where you can't succeed."
Myth#4: Longer passwords and frequent changes help security
An obvious four-letter dictionary password is a ripe target for cracking, but Heiser suggests that constantly forcing users to memorise new and unique passwords is a complete waste of time. "Most passwords are cracked because they're slurped through malware," he said. "We put way too much emphasis on complexity."
A better strategy is to encourage employees not to use passwords that blur between professional life and personal life. One of the best policies we could pursue is to encourage employees not to use their Facebook passwords at work," Heiser said.
Myth#5: Physical security means we're safe
Physical security matters, but with huge amounts of data stored online, its importance can be overestimated. "In the overwhelming number of cases, your data is not going to be snuck out the front door," Heiser said. "One hard drive really doesn't have much data on it."