6 Scary Security Practices That Remain Too Common
Security threats evolve rapidly.
Have your security practices evolved with them?
If you’re still clinging to any of the scary security practices described below, you’re not prepared for modern security challenges.
Scary security practices that remain common among some organizations include…
Thinking Antivirus is Enough
In the 1990s, antivirus scanners were able to detect a large portion of threats.
Today, however, many cyberattacks don’t rely on the types of locally run malware that antivirus tools are designed to catch.
Virus scanners are still a useful tool, but they’re only one of many security resources that you should include in your arsenal in the present age of cloud-based, distributed computing.
Relying on Firewalls
For similar reasons, firewalls are also insufficient to prevent modern security threats.
Firewalls help to enforce a security perimeter by separating your systems from the wilds of the public Internet.
The problem with relying only on firewalls, however, is that in many cases you can no longer erect a strong perimeter between your network and the Internet.
For example, if you use public cloud resources, or permit employees to bring their own devices onto the network, enforcing a network perimeter is not feasible.
Firewalls are still useful for protecting internal applications or data that can be completely ensconced behind a network perimeter.
But don’t expect firewalls to be able to protect all of your digital assets.
Sharing Login Credentials
Setting up individual access for each user of a shared database or application is complicated.
As a result, people still do things like store passwords in a shared spreadsheet or Word file.
That’s convenient, but it’s not secure.
Even if you take measures to encrypt the password file, you’re asking for trouble by having it exist in the first place, and sharing it among a group in the second place.
A much better security practice is to make sure that each user has unique credentials for each application or database that he or she needs to access.
And if you have to store passwords somewhere, you should use a secure password manager, not a spreadsheet or document.
Relying on Passwords Alone
On the topic of passwords, if you’re relying on passwords alone to secure your data and software environments, you’re falling short of being as secure as you can be — even if your passwords are securely managed.
Two-factor authentication — which means requiring an additional authentication step, such as entering a code you receive through text message, on top of logging in with a password — is becoming more and more common.
Wherever possible, you should take advantage of two-factor authentication.
Sure, it makes logins more complex and time-consuming.
If you can prevent a security breach, however, you’ll save a lot of time and effort in the long run.
Thinking Your Mac Keeps You Safe
Macs (and, for that matter, Linux) were once relatively safe from a majority of the cybersecurity threats that affected Windows.
It was debatable whether that was because of a superior security architecture in Unix-like systems (of which macOS and Linux are examples), or the fact that Windows users were a much larger target for attackers.
Either way, the fact is that many of today’s threats, such as Heartbleed, are server-side attacks that affect all operating systems equally.
The attacks exploit vulnerabilities in Web-based apps, or in protocols used to encrypt or transfer data.
So, even if your entire organization uses Macs, you’re not free from worries about security breaches.
Forgetting to Disable Previous Employees’ Credentials
It can be easy to forget to disable an employee’s accounts when he or she leaves your organization.
In some cases, it’s difficult even to know which accounts the employee set up.
Yet keeping track of the accounts associated with each employee, and disabling or deleting those accounts as an automatic part of the employee offboarding process, is essential.
If you keep accounts active when they are no longer necessary, you needlessly increase your risk of security intrusions.
You also leave open the possibility that a former employee can access sensitive data or applications, which can be a compliance problem.