Unfortunately, there will never be peace declared in the digital security battle. Hackers and cyberthieves will always be trying to find a new way into enterprise and consumer systems, and technology professionals will always be tasked with trying to stop them. That's why it's crucial to take a broader view of security that encompasses long-term and comprehensive strategies, rather than focus on everyday problem-solving that rarely gets at core security vulnerabilities.
Although it's commonplace to deal with security issues as they arise, many times, this immediate-dangers-only approach can seem like putting Band-Aids on a large wound. The tactic might be moderately useful, especially if applied right away, but it doesn't address how the injury was created in the first place and what will be needed to really stop the bleeding. When considering digital security tactics, avoid these barely useful Band-Aid strategies.
Giving the same access level to everyone for document management
When employees need to access a document management system, it might seem easy to set one password that can be shared across a company. But that short-term approach has a number of security risks that can affect an entire system. Without proper access control and rights granted at an individual or group level, you won't be able to create an audit trail that can track who has accessed files and if they're being changed or downloaded without permission. During an audit, that lax digital security could result in regulatory fines, or it could completely sink the company if insider threats and digital document theft are in progress.
Putting all digital documents into a system without classification
Sometimes, you just want to store everything and sort it later. But when does that "later" arrive? Will it be done in the midst of security upgrades and new system implementation? Putting data into storage without classifying its importance, category, and access control levels is a dangerous Band-Aid tactic that can easily backfire. Take a long-term view instead and implement a data classification procedure, especially if the business has trade secrets and other sensitive data that can't be mixed with everyday content like marketing documents and HR files.
Using encryption without researching its origin
Security experts often advise companies to use as much encryption as possible, and you'll likely want to offer the same counsel to your customers. But not all encryption is the same. For example, FIPS 140-2 is the benchmark that the U.S. government requires for security in any data product. Businesses should be looking for encryption that's been tested and validated to that standard; otherwise they might be using a security method that's not as strong as it could be.
Securing only critical servers and ignoring the rest
Although it's imperative to make sure that critical servers are as secure as possible, keep in mind that there are many other hosts within a network environment, including mobile devices, testing machines, even decommissioned equipment and digital printers. All of these are linked together, so focusing efforts only on critical servers could leave a company vulnerable to attack through seemingly "unimportant" avenues.
Being able to identify less-useful security fixes will be helpful for VARs, since it will allow you to act as a top security resource for customers. When Band-Aid strategies are proposed, you can advise customers to take more of a long-range view and possibly to implement different systems or procedures that would be more effective than a quick fix that doesn't hold for long.
What kind of Band-Aid remedies are you seeing for digital security? Tell us in the comments.