The idea of having security is delusional. Security does not exist. The best you can do is make it harder for people or events to breach it or to have a need that is at most a preference.
Take data security. Data is secure so long as the value of the data is less than the cost to get it. If your system holds information on 1,000 credit cards and credit card information is worth $100 each at retail and maybe $10 each wholesale, you better hope it will cost more than $10,000 to break in. If you have a million credit cards, you can expect a more formidable attack. Eventually someone well financed, patient and focused will breach the system. After they breach it, you will fix the entry point and think you are okay now.
Consider the military idea:
“In the old battle between warhead and armor, warhead always wins.” Tom Clancy
So it is with computer systems. In fact all data management systems. If you make it harder to breach, you make it less convenient to use. Making it harder to breach makes it necessary to find new ways in. You could have a 50-character, complex password which is essentially unbreakable and someone would still find it. How much do you pay your people. If I offered someone three years pay for the password, would I get it?
It doesn’t matter how hard the password is to breach if there is another method that is quick and simple and affordable.
Find the hacker sooner. According to published information from Microsoft, the average time a hacker is on a system is 140 days. Check logs or provide intrusion alerts. Being forced to get data quickly costs hackers money and reduces the value of the intrusion.
There is one method of providing security. Make it so people don’t want to breach your system.
I know someone who is in a position where he may be hacked. On his computer is a file named passwords. It looks like an encrypted data base, but in fact is a nasty virus which is capable of physically destroying any computer that becomes infected. Bummer!
You may recall direct mail was more common once. People didn’t like it and advertisers sent it because it was cost effective with about a 2% response. When people began to send back empty prepaid envelopes in protest, costs went up beyond the point of economy so the direct mail programs stopped.
Defense is very expensive and must work every time. Offense only needs to work once and has many options. Consider your choices for defense. Somewhere between none and a super defense is your best spot. For very little, you can keep amateurs out. There is no amount big enough to keep out the NSA or the Chinese hackers, if they want in. Choose wisely.
Maybe there is something you can do to make the data on your system less valuable. Offline files for very sensitive information might be good, but inconvenient. A trade-off. Reducing system clutter and old information is important.
Watch for obvious things like a too old firewall, internet published email addresses or fax numbers that lead to the computer system without security.
You are not secure. Your data is not private. You should behave as if both of those are true. Security is not absolute but you can reduce the likelihood of a breach and you can minimize the damage if one occurs.
Don Shaughnessy arranges life insurance for people who understand the value of a life insured estate. He can be reached at The Protectors Group, a large insurance, employee benefits, and investment agency in Peterborough, Ontario. In previous careers, he has been a partner in a large international public accounting firm, CEO of a software start-up, a partner in an energy management system importer, and briefly in the restaurant business.
Please be in touch if I can help you. firstname.lastname@example.org 866-285-7772