The world of IT security is full of misinformation, disinformation, confusion, and myths. This has become the case for a variety of reasons. If we talk about antivirus products, people still have many myths in their perception and do not aware about the nature and ability of a malware program. Malware attackers are spreading myths and mislead the public about a malware program. Good security practices are about sorting through these myths and making sure that your information security policies are built around reality instead of these myths. Often this involves accepting that no one practice, idea, or piece of software will protect data one hundred percent. Good security practice ensures that the IT officers have a full understanding of the complex realities of IT threats.
Enough security Practices:
- One widespread myth accepted by companies trying to secure their data, is that a certain product or practice can secure their data, passively, on its own.
The fact is companies should think over their budget while spending on software and hardware and they need to keep reserve funds to get maximum benefit from it.
This means that no matter how much effort and money goes into finding the most capable security software, more resources will also be needed to hire people with the knowledge to use them properly and to teach others how to do so. Maintaining this level of knowledge in the face of an ever-changing world of security threats also requires attention and resources. Instituting any IT security practice starts with hiring people with a deep knowledge on the subject, as well as spending resources and being active to keep them and other employees educated about how the world of IT threats and security is evolving. In any case, the passive approach to IT security is no longer enough currently of complex threats – if it ever was in the first place. The use of IT management solutions, which focus on tracking the flow of data through the entirety of the environment, and on holistic (whole system) approaches to IT security. It is not enough to have a good anti-virus program for protection.
Furthermore, this is true for a number of security practices as well. Neither a good firewall, nor encrypted data is enough. In the case of a firewall, relying on only that is a big risk. Once hackers get past this firewall, one way, or another, the data is at risk unless other practices are in place. In addition, hackers have plenty of ways to get around data encryption as well. In many ways, one security practice or program is never enough – as much as we might like it to be.
Mac and Linux are impervious by hackers:
- There is another myth regarding imperviousness of Mac and Linux relative to Windows.
While it certainly is true that Windows is the biggest target for malware, Mac and Linux come with their own vulnerabilities. This is becoming especially true as they carry options that are more popular within the professional world. Linux in particular is becoming quite a potential target, as software for Linux is not patched as frequently or diligently. The lack of attention, based on this myth, looks like it may become a self-fulfilling prophecy as Mac, and Linux are used more for secure data.
Penetration Testing should be at the end of development:
- There is also a myth that performing “penetration testing” towards the end of software development is a good way to patch vulnerabilities.
McGraw points out two serious problems with this. Software developers will often hire supposedly reformed hackers to do this penetration testing. One problem is simply trusting that these “reformed” hackers will report all the vulnerabilities that they found, instead of exploiting them themselves, or selling the information to other hackers. The other problem with this “pen testing” involves the fact that it is much more expensive to fix these software vulnerabilities towards the end of development. It is much more practical to fix vulnerabilities as early in the development process as possible. Use of penetration testing alongside “design review, code review, and security testing” is a more comprehensive approach.
Security vendors are the Best:
- It is also a widespread myth that security vendors have you and your companies’ best interests at heart.
While they do succeed by making an effective product, a world devoid of viruses, malware, and other security threats would not be a good thing for their business. Trusting these companies to behave otherwise, they can lead to problems. While it is unlikely that there are any behind the scenes conspiracies involved, security companies might release a study that, for example, highlights a threat that their product can protect. Security vendors take benefit from a culture of fear in the IT world – especially if it is fear of a threat that their product is built specially to defend from it. This could lead to ignoring the problems that their security software is not designed specifically for particular loophole. Some experts believe that this culture of fear needs to be taken with a grain of salt.
We can ignore Mobile Security:
- Data loss and security breaches are a new epidemic that is only now getting out of hand.
Terms like epidemic are thrown around a lot in these discussions, but the percentage of companies reporting unauthorized system use has actually dropped over the course of certain recent years. Often times, discussions of mobile security put the situation in terms that lead readers to believe that the problems with mobile security are new, and thus especially threatening.
We can go one-step ahead of this myth like there are many malware issues and mobile issues about which mobile users can get idea to prevent them. Even mobile security providers frequently produce patches to avoid further threats.
Technical language is not a barrier in IT Security:
- Another especially widespread myth is that data security is the domain of techies, and that the business side is not able to contribute to solving these problems as well.
In fact, the security discussion should be in plain English rather than technical language. As a result, it would reach to common non-technical person. Technical language barrier will have limitation of understanding, seem difficult to understand and does not carry any value. There is need for discussions about information security to be carried out in plain English, rather than highly technical language. Security should be at each part of business level as it is for people, business process, and technology.
Allowing security to be considered strictly “tech territory” allows another myth to go unchecked – that security reduces usability. With good, user-friendly security software with good design, this myth is simply untrue. Discussing IT security in plain English is important to dispel this myth as well.
We can control users:
- An essential myth to dispel is the “we can regulate users” myth.
This says that in a Bring Your Own Device situation, you can control whether the devices are used in a secure way or not. In reality, companies need to focus on expanding their control of data itself in this situation, rather than expecting to control the way the devices are used by uninformed users.
Security Divisions are good:
- Physical security and data security are considered to be separate – to achieve real security, this should not be the case.
If computers with secure access to sensitive data are physically accessible, not all the IT security in the world might do much good. Historically, different departments handle physical security and information security, but this is a practice worth breaking the traditional perception.
Small data carries no value:
- There is a notion that some companies, and some data, are not worth bothering to protect – because they are too small or their information seems not valuable.
Even small companies that do not hold credit card data need tight information security. The truth is every single data has its own value and criminals are always in search of such data to use it in a nefarious way.
Not all Applications are important:
- On a similar note, another myth exists, that says only high value and high risk applications need to be protected.
This is not true, since any application can serve as a gateway for hackers into a system – once there, they can access higher value data and applications. Entire systems need to be secure, in order for any data contained in them to be secure.
A common theme among these myths is that one product or practice can be put in place, and then will passively keep data secure. In reality, security must be achieved with a broad understanding and a variety of practices. Neither software nor these practices can be implemented and left alone, but instead keeping data security must become an active, continuing practice of keeping both software and knowledge up to date. Some of these myths are easy to buy into because they encourage quick, one-step solutions to what in reality is a complex, evolving problem. IT security solutions need to be constantly evolving as well. The goal of IT security practices should never be to move these concerns off the radar for your company.
Related Posts :