While I do believe some of the analogies to be somewhat erroneous, I find myself broadly agreeing with the points raised in this article about current security practices.
We in the industry often find ourselves focusing on the more technical issues – patches, penetration testing etc. These fall well within the IT department’s sphere of understanding. They are sexy issues.
Certainly more interesting than matters of staff training, but as the article points out this is likely to be a much bigger win than ensuring everyone is using 28 character passwords or that company computers get patches the second they are available.
“Employee training sometimes gets a bad rap because it doesn’t alter the behavior of every employee who takes it,” he said. “But if I can reduce the number of security incidents by 30 percent through a $10,000 security awareness program, doesn’t that make more sense than spending $1 million on an antivirus upgrade that only reduces incidents by 2 percent?”
I am a big fan of the “strength in depth” approach to IT security and I believe that one should never rely too much on one technique. It doesn’t hurt to lock things down – decent passwords are certainly not going to do any harm – but I agree the big hits are probably going to be elsewhere.
However all the fancy security software in the world is not going to stop untrained staff doing something ‘unfortunate’ like sending the bank details of 25 million people through the post on two unencrypted CDs.
Crucially, for real security I think one should plan for failure and make sure that it is not the end of the world if something does happen. Backups, encrypting confidential data, as well as ensuring you have a firewall set up and configure correctly are all parts of a consolidated defence.
In short. Make sure your doors and windows are locked, but keep valuables out of sight and make sure you’ve taken out an insurance policy… and tell your flatmate not to let dodgy masked men with “swag” written on a sack wander around your apartment.