It seems logical that any business, whether a commercial
enterprise or a not-for-profit business, would understand
that building a secure organization is important to longterm success. When a business implements and maintains
a strong security posture, it can take advantage
of numerous benefits. An organization that can demonstrate
an infrastructure protected by robust security
mechanisms can potentially see a reduction in insurance
premiums being paid. A secure organization can use its
security program as a marketing tool, demonstrating to
clients that it values their business so much that it takes
a very aggressive stance on protecting their information.
But most important, a secure organization will not have
to spend time and money identifying security breaches
and responding to the results of those breaches.
As of September 2008, according to the National
Conference of State Legislatures, 44 states, the District of Columbia, and Puerto Rico had enacted legislation re quiring notification of security breaches involving personal information. 1 Security breaches can cost an organization significantly
through a tarnished reputation, lost business, and
legal fees. And numerous regulations, such as the Health
Insurance Portability and Accountability Act (HIPAA), the
Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley
Act, require businesses to maintain the security of information. Despite the benefits of maintaining a secure organization
and the potentially devastating consequences of not
doing so, many organizations have poor security mechanisms,
implementations, policies, and culture.
1. OBSTACLES TO SECURITY
In attempting to build a secure organization, we should
take a close look at the obstacles that make it challenging
to build a totally secure organization.
Security Is Inconvenient
Security, by its very nature, is inconvenient, and the
more robust the security mechanisms, the more inconvenient
the process becomes. Employees in an organization
have a job to do; they want to get to work right
away. Most security mechanisms, from passwords to
multifactor authentication, are seen as roadblocks to productivity. One of the current trends in security is to add
whole disk encryption to laptop computers. Although
this is a highly recommended security process, it adds
a second login step before a computer user can actually
start working. Even if the step adds only one minute to
the login process, over the course of a year this adds up to four hours of lost productivity. Some would argue that this
lost productivity is balanced by the added level of security. But across a large organization, this lost productivity
could prove significant.
To gain a full appreciation of the frustration caused by
security measures, we have only to watch the Transportation
Security Administration (TSA) security lines at any airport. Simply watch the frustration build as a particular item is
run through the scanner for a third time while a passenger
is running late to board his flight. Security implementations are based on a sliding scale; one end of the scale is total
security and total inconvenience, the other is total insecurity and complete ease of use. When we implement any security
mechanism, it should be placed on the scale where the
level of security and ease of use match the acceptable level of risk for the organization.
Computers Are Powerful and Complex
Home computers have become storehouses of personal
materials. Our computers now contain wedding videos,
scanned family photos, music libraries, movie collections,
and financial and medical records. Because com 1
www.ncsl.org/programs/lis/cip/priv/breachlaws.htm (October 2, 2008). puters contain such familiar objects, we have forgotten 4 PART | I Overview of System and Network Security: A Comprehensive Introduction that computers are very powerful and complex devices....