There is no doubt that in the last years we have made great progress in Information Security. Gradually, business begin to perceive the idea that security is an area that requires special attention, beyond what many consider “the IT crowd”. However, if it is not good to fall into the doom and gloom, we should not be too lenient: there’s still a long way to go and progress does not always occur at the speed at which, fortunately for criminals, would be advisable or desirable. Every day we see security breaches in organizations with a strong investment in technological infrastructure and security controls, which should give us an idea of the imbalance of forces.
In this line, there are still many errors and beliefs that we can identify as the ten usual errors of SMEs (Small and Medium Enterprises) in Information Security and that mark the way to go these next years.
1. To think that their information or systems do not interest anyone. This is, without a doubt, the main obstacle to the improvement of the information security in an organization: “who may want to attack us?“. There are several powerful arguments against this. First, any equipment is useful for “botnets” or networks of zombie PCs controlled remotely, either a corporate PC or a teenager laptop; if it can be controlled remotely then it can be used with to report spam or attack systems. Secondly, perhaps no one is really interested in those systems, but a worm doing a massive scan could detect by chance a vulnerable system. Finally, many organizations underestimate the value of their information, both for foreign and internal competition: accounting balances, rates of prices, margins, processes of production, innovations, etc.
2. To believe that security is just technical and therefore responsibility of the IT Dept.. To limit the security to its technical side, obviously necessary, leads to neglect controls such as the legal and organizational ones. To manage security incidents and events, perform education on security issues, define responsibilities or address legal requirements are vital aspects to prevent threats such as phishing or social engineering.
3. An antivirus and a firewall are just enough. This is primarily the progress that we talked about in the first paragraph. Few organizations do not have currently an antivirus or a firewall. However, this leads to a false sense of security that makes them to forget that there are many threats, both technical and non-technical, that require more specific measures.
4. To think that security is a product and not a process. This error comes from past times when security was just one thing more of the many tasks within the IT dept. staff. However, things have changed significantly and security has acquired a status of its own. Anyone working in an HR department, production, logistics or accounting performs a daily maintenance, either updating their knowledge, keeping the industrial systems running, implementing new processes or adapting its operation to new legal requirements. The departments adapt to changes constantly. However, security is still considered an area that does not require any maintenance. Nothing is further from reality.
5. Confidentiality is just something of spies and large corporations.. It is true that large corporations and spies sign confidentiality (non-disclosure) agreements. But although many companies still think of them in terms of science fiction, that does not make them unnecessary in the field of the small and medium companies. Suppliers, customers, employees, stakeholders and any natural or legal person with access to the company information must sign confidentiality agreements whose purpose is to protect the information of the organization. Very few times such a small effort brings such huge profits.
6. To forget the security in corporate contracts. Today a simple order form is still in many cases the procedure to contract services. No formal service contract, no confidentiality clauses, no legal requirements nor information about the security measures the provider must apply on the information we provide. Ultimately, security, in all its areas, is still absent in the contracts that many SMEs sign with suppliers and/or customers.
7. Privacy, the great unknown. Although privacy has been a critical issue for the last decade and there are legal requirements in many countries, many companies still ignore their duties in this area and some of those who know choose not to carry out any action. Whether to avoid economic sanctions or “just” social responsibility to the people who gives us their personal data, any company should take the necessary measures to ensure the security of the personal data of their customers, employees, suppliers … (please note this point was adapted from the Spanish Personal Data Protection Act to a more general view).
8. Just to look outside threats. Without the desire to criminalize and despite the mass media news , it is well known in the field of security that most of the security problems come from within the organizations. In some cases, malicious users. But in many other cases it is sheer ignorance: an employee who uses an infected USB, opens an attachment or clicks on a link in an email or simply throws confidential information to the recycle bin. It is essential to adopt a permanent strategy of awareness in information security, including managerial staff that handles sensitive information, to prevent and mitigate risky behaviors for both the organization and the employee.
9. To provide Internet services regardless of their safety. A service offered to the Internet is accessible virtually by billions of people, some of which will have not certainly good intentions. Without losing sight of the necessary legal requirements (in many cases very easy to fulfill) that we have seen, the story repeats again and again: services that contain web forms vulnerable to attacks that existed a decade ago, webservers misconfigured or directly not configured, etc.
10. To forget systems and network management. Last but not least, many companies still neglect the required security maintenance of their servers and networks, leading to vulnerable network devices, WiFi access points that allow a person on the street to access the corporate network, internal databases accessible from the Internet, or servers not updated in years. Without mentioning that this leads to the most absolute ignorance about what happens in the infrastructure of the organization, where an intruder can do whatever he wants. The rest is left to the imagination.
This decalogue of errors, more common than one would think, could certainly be completed with many other specific problems that SMEs commit daily. However, if in a few years we could cross off at least half of these errors, we would have made great strides in securing our companies.