5 Most-Ignored IT Security Best Practices
More than half of IT departments are failing at basic security measures, with 82% falling short on key practices, a new survey shows. Are you on top of these five issues?
August 17, 2011
Strategic Security Survey: Global Threat, LocalPain
Strategic Security Survey: Global Threat, Local Pain(click image for larger view and for full slideshow)
There's nothing simple about enterprise security, but there are plenty of best practices that can keep most businesses safe from the most likely and pervasive threats. Unfortunately, according to a new study from research firm Echelon One and enterprise key and certificate management company Venafi, more than half of all IT departments are failing at some of the most important security practices. Here are the top 5 things your company could probably do better.
1. Rotate SSH Keys Annually
The most startling statistic in the study shows some 82% of IT departments fail to rotate SSH keys every 12 months. Because the average employee turnover rate is about two years, failure to rotate SSH keys at least once a year leaves critical network infrastructure wide open to malicious access from former staffers.
2. Train Users In Best Practices
The most vulnerable element in any network is almost always the human element. You can patch your servers and beef up your firewall 'til the cows come home, but it'll do limited good if your users click on every phishing message that comes their way. Still, according to the Echelon One study, 77% of companies offer no regular security training to their end users. Venafi recommends that IT departments conduct quarterly training for all users, teaching workers to avoid common security threats through established best practices.
"The Venafi/Echelon One IT security research supports everything we've been seeing and warning against," said Stu Sjouwerman, CEO of security training firm KnowBe4, which has conducted similar research into the vulnerability of workers to phishing attacks. "Companies are not investing in Internet security training; and as a result, they're exposing their networks to potential cyber attacks."
3. Encrypt Cloud Data
It sounds like such an obvious blunder, but 64% of IT organizations don't encrypt all of their cloud data and cloud transactions. The reason, according to the study, is that many cloud applications do not encrypt by default. Clearly, most IT pros need to do a better job of checking and managing the security settings on the public cloud services that handle their data.
4. Use Appropriately Strong Encryption Keys
While the Echelon One study found that most businesses do fairly well at enforcing encryption policies generally, it found that the majority of companies do not use appropriately strong encryption keys. According to a February 2011 report from the National Institute of Standards and Technology, 1024-bit encryption keys have depreciated in effectiveness, and 2048-bit encryption should be used for all symmetric keys. Only 44% of IT departments use recommended key strengths, according to the study from Echelon One and Venafi.
5. Have A Plan For Replacing Breached Certificate Authorities
Nearly every business uses digital certificates to authenticate a host of network services, many of which are critical to revenue flow. Digital certificates are vulnerable to fraud, and must be replaced when compromised. Surprisingly, Echelon One said a majority of IT departments--55%--have no management processes in place to ensure business continuity by quickly replacing a compromised certificate and its accompanying encryption keys.
At a full-day virtual event, InformationWeek and Dark Reading editors will talk with security experts about the causes and mistakes that lead to security breaches, both from the technology perspective and from the people perspective. It happens Aug. 25. Register now.
About the Author
You May Also Like