Is Adherence to Policy the Weak Link in Keeping Your Organization’s Data Center, Cloud and IT Operations Secure?

Data concept: pixelated Closed Padlock icon on digital background, 3d render

How do you avoid a data breach?   It takes more than just an investment in equipment and people.  There are legions of data breaches that would have been prevented had employees and contractors within an organization simply adhered to policy.

You can invest a seven-figure sum in malware detection, have 7x24x365 monitoring of IT network for suspicious activity, and a couple of hundred IT security staffers, but if your employees don’t follow best practices for IT security, it might not matter much at all.

It didn’t matter at Target, an organization that enjoyed all of those attributes.  At Target, when the multi-million dollar system raised red flags the round-the-clock monitoring staff notified the security team at corporate headquarters.  But nothing happened, probably due to a series of errors by the security team, which had a key position unfilled at the time.

By not adhering to policy Target triggered a preventable nightmare of customer inconvenience and horrendous publicity that led to profits being cut in half for the holiday season, longstanding (if not permanent) PR damage to the brand, and significant changes at the executive level.

The IRS breach of information on 330,000 taxpayers engineered by those looking to utilize the data to commit tax fraud was keyed by some stolen credentials that an employee apparently didn’t treat with appropriate caution.

The Premera medical records breach where records of 11 million customers were exposed was likely the result of employees clicking on links in phishing emails that delivered malware to the company’s network.

In addition to employee inaction, improperly secured credentials, and phishing scams, other breaches that could have easily been avoided have resulted from:

  • Overly simplistic passwords.
  • Fraudsters posing as customers in “emergency” situations on the phones.
  • Not logging off of a workstation in the office before stepping away.
  • Being too overt and open in logging into a network in public places.
  • Non-adherence to physical security protocols (unverified people admitted or not escorted in work environments).
  • Logging into private network from publically available workstations.

Keeping hackers off your network is a tough battle.  A lack of adherence to best practices by your people can make things a lot easier for bad actors seeking to penetrate your networks defenses.  It might be a good time to reintroduce those best practices followed by your organization with a focus on the potential damage that can be done if these basic strategies for data protection are not followed.