What's your security fail?

Unsecured email is just the tip of the iceberg at many companies. Security experts dish dirt on some of the "fails" they have seen in their careers.

security log monitoring
Credit: Thinkstock

Politics and partisan posturing aside, the fact that Hillary Clinton and Jeb Bush as secretary of state and governor of Florida, respectively, played it fast and loose with email security protocols for the sake of convenience is shocking.

To be sure, the ways in which Clinton and Bush circumvented controls differed a bit, according to reports that have come out recently. Clinton accessed work-related emails from her personal device, an error compounded by the discovery that the State Department did not automatically archive many of these emails. Bush, for his part, was more open about his use of a personal email address to handle state business -- he had been known to communicate with the press using it on occasion -- but he did discuss sensitive matters on some of these emails, like troop deployments in the Middle East.

It may be shocking, but speaking generally, Nigel Johnson, vice president of business development at email data protection company ZixCorp, says he is not surprised -- he sees such lapses all the time among his business clients.

"We constantly see companies gambling with unprotected email," he tells me.

"They are taking a calculated risk in deciding not to implement email encryption and instead, opt for convenience over protection. When you think about the documents regularly shared over email -- financial information, customer information -- it is surprising so many companies take this risk."

Maybe Clinton's and Bush's respective mini-scandals will drive home the dangers to companies of using insecure email -- but probably not. The security hack suffered by Sony Pictures Entertainment in 2014 was on the company's radar of possibilities for close to ten years but was deemed too expensive to address, Johnson says.

"During an audit in 2005, Sony’s executive director of security, Jason Spaltro, was told Sony’s security practices were insufficient. Instead of investing in adequate solutions, Spaltro decided to take a risk and was quoted by CIO.com as saying: 'It’s a valid business decision to accept the risk of a security breach. I will not invest $10 million to avoid a possible $1 million loss.' This highlights the mindset the entire security industry is fighting against," Johnson explains.

So when ranking companies' security mistakes, lax email controls sit pretty high on the list. Unfortunately, security experts go on to say, that list can be a long one.

After a round of calls and emails to the security industry I came up with the more blatant fails and how companies can address them.

Security fail: An employee who is free to click on any link or to download any file that comes his way at work. Or is able to coast by without updating security controls for an extended period.

The solution: Don’t rely solely on employees as a company's front-line defense, says Jason Kennedy, director of business marketing & product management for Intel’s Business client group. Hardware can carry a lot of the burden, he tells me, pointing, not surprisingly, to Intel's own product line such as the 5th Generation Intel Core vPro processors, which have been equipped with such features as policy controls for IT, identity protection and remote access.

"This lifts some of the security burden off of the shoulders of enterprise workers, empowering them to be as productive as possible," he says.

Security fail: Internal email address lists that are open to anyone. "All it takes is one malicious email from a compromised account or a disgruntled employee to take down an entire organization," says Morey Haber, VP of technology at BeyondTrust.

"I am aware of one organization that was completely offline with federal investigators involved because the attachment contained graphical images that are a felony to possess. Imagine that being in everyone’s inbox and smartphone."

The solution: Duh. Treat your internal distribution list as sensitive data.

Security fail: Assuming your security auditor is infallible. "As security professionals, I have seen too many times bad advice passed from auditors to teams based on misguidance or a lack of understanding of a regulation," Haber says.

The solution: Ask questions about everything on the security report and understand how the findings were determined. "Auditors are human, too," Haber says.

Another variation of that theme is assuming someone else on a team will catch a mistake, says Tim Prendergast, CEO of Evident.io. His proposed solution: A strong working relationship between security professionals and engineers so that collaborative security reviews "happen much earlier than the day the code goes out the door."

"This is especially critical in DevOps shops, where code can be deployed many times a day," he tells me. "The only way security is effective is through a team effort -- not a confrontational exchange between security and DevOps.”

If none of these hit home for you, don't worry, there's more. In an upcoming post, security experts will talk about companies that emphasize network-based defenses while overlooking other infection pathways, the tendency to believe in "good" websites and the inclination of the C-Suite to keep security siloed in IT. So which is your security fail?

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon