Merriam-Webster defines a myth as a popular belief or tradition that has grown up around something or someone but is often unverifiable. When it comes to information security, there's a lot of popular wisdom available, but much of it is unfounded and won't necessarily improve your organization's security.
Why do such beliefs persist? The answer is that we don't challenge new and existing ideas enough. We must test and evaluate the validity of new security concepts, so the good ones can become standards. Only by cutting through the hype to separate reality from myth can IT professionals help take their enterprises to the next level. Here are 10 network security myths that bear further examination.
MYTH #1: Organizations are more secure now than they were a year ago. Although limited resources have forced some organizations to neglect security issues, most companies have initiated the necessary steps to safeguard their company assets. Information security has moved from a business cost to a business enabler--allowing for better business decisions that help organizations grow and see firsthand how strategic decisions may unfold. However, any complacent attitudes should be checked at the door. New threats and technologies are constantly and rapidly changing the network landscape. System administrators must scan the network continually for known security weaknesses, keep their skills current and, most important, re-examine corporate security policies periodically. Letting this last step slide is a recipe for disaster. Business processes defined a year ago may not match the organization's current needs.
MYTH #2: The presence or absence of regulations greatly matters when it comes to protecting both personal and customer data. Governmental regulations, such as HIPAA (Health Insurance Portability and Accountability Act) and Sarbanes-Oxley, contain information security components in their guidelines. But with or without a legal requirement, organizations should still safeguard their sensitive information. Failure to protect customers' personal data means a loss in consumer confidence, which results in lost revenue and government fines. Regulations and laws are getting the attention of C-level executives and forcing them to invest in information security initiatives, but don't be misled into thinking governmental regulations mean data is protected and that companies themselves won't violate a regulation.
Case in point: When BJ's Wholesale Club's network was compromised and thousands of their customers' credit card numbers were stolen from a BJ's database, many believed the retailer had violated MasterCard's and Visa's regulations by storing account and customer information. The same held true for CardSystems, which may have violated MasterCard's regulations by not only retaining credit card information but failing to encrypt the data. Organizations must proactively fashion a philosophy that combines network security with an acceptable level of compliance.