What is the big threat

I still contend that all of the technology in the world is no good if we do not address the biggest threat that we face. Every organization faces it. It is an issue inside of security teams as well as throughout the rest of every organization. We need to address the mind-set of the user base. We need to change the way people view computers and how we use them. We need to change the way people interact with the data that we use, create, and manipulate every day.

People are very cavalier with data and computers. they have no problem moving data to the most convenient location and moving it back again. They download data from a production server to their local laptop to take home for an evening of data crunching and then upload it into the corporate database in the morning. They connect their personal SmartPhones to the corporate network, synchronizing personal and corporate mail systems and calendars. Corporate data can find itself left on the back seat of a car or in the overhead compartment of an airplane. A presentation containing confidential information can be loaded onto the pocket sized device of an individual and can land in the hands of a pickpocket on the train. With all of this mobility Users insist on ease and convenience. They rebel against encryption which slows down their system's performance or ask for an extra password. They object to security measures that prevent corporate data from being loaded onto mobile devices or local systems. Any system that might interfere with their old habits or personal method of doing business is not tolerated. Loopholes, shortcuts, and other failings in the security systems eventually lead to the break down in the system and vulnerabilities show up. People use these critical systems for personal pleasure further exposing the corporate data to other vulnerabilities and eventual breach.

If we have learned anything from history it is that every security measure will be broken with time. MD5 has been broken with collisions. 64 bit encryption keys are not strong enough. Every aspect of security is a fluid battle, back and forth between the good guys and the bad. No technology is going to be the great panacea that will win this war. The biggest vulnerability facing industry are those caused by incidental exposures; critical data sent clear text over the Internet or left on a laptop, servers left exposed to the public network, or passwords left posted in public view. If we do not get people to change the way they treat the data and reduce the initial exposure, reduce the number of opportunities for the bad guys, then all of the technology in the world will never make a difference. I once saw a picture depicting the most secure network. It showed a bunch of people  standing around looking at a computer locked inside of a room with no way in. This is not the dynamic I am suggesting. I acknowledge that we need to work with the data. But we also need to respect the data. People need to be cognisant of what they are doing. Think about the exposure they might be placing on the data with their actions. Think about the safeguards that have been put in place and be sure that they work inside of them and watch for events that look out of the ordinary. In today's age every computer user should have some level of training provided by their employer so that they are aware of what normal computer performance should look like. They should all be aware of security issues and threats. We are all part of the security systems protecting our networks.