Four deadly security sins

"If you are an organization that is relying on your employees to do the right thing with respect to security, you've already made a number of mistakes," said Scott Montgomery, global vice president for product management at Secure Computing, in a phone interview with ZDNet Asia.

Montgomery noted that end users are typically the "least educated" of proper corporate security practices and are "most prone to doing things" that do not adhere to the company's security policy.

He highlighted four most damaging security habits that are commonplace among organizations in this region and around the world, and underscored the need for IT administrators to closely monitor these areas.

1. Fixed passwords
The Sans Institute, over the last decade, has identified passwords as one of top 10 most damaging security practices, Montgomery said.

Unlike token-generated or one-time passwords, he noted that fixed passwords do not change and some users may even write them down to avoid forgetting the sequence. As such, fixed passwords are "dangerous" because any person who knows the right password can log into the network and cannot be identified as an imposter, he said.

"Everybody knows that fixed passwords are weak and a problem. It's been the same way for 10 to 15 years, but it doesn't change organizations from investing in it," Montgomery said.

In contrast, the use of one-time passwords has been found to "dramatically increase the security profile of organizations" because the perpetrator would not be able to compromise the user's credentials, he said.

"Even the use of one-time password on an application-by-application basis dramatically increases your security profile because you can't do…password guessing," Montgomery said. He added that the use of a hardware token for one-time password deployment--whether it is time-based or event-based--is a good way to prevent systems from being compromised.

2. Neglecting inbound threats from e-mail, the Web and instant messaging
When end-users receive a spam message in their e-mail inbox, their administrators have already "lost the battle", Montgomery said. "At that point, you're expecting the users to do the right thing [but] they won't... They don't have any perception of the greater risk of their activities." He noted that e-mail, Web mail and IM (instant messaging) are among the high-risk areas and IT administrators need to ensure data received via these platforms are safe and protected.

3. Forgetting that data traffic is two-way
When keeping the organization's network secure, IT administrators should keep in mind that data traffic is bidirectional and consider possibilities of outbound data leakage.

Montgomery noted that organizations often forget that their traffic is bidirectional and many spent the last several years protecting only the data that enters their networks. "Organizations have been very slow to look at what's leaving their network, in terms of data leakage, due to malicious and criminal intent or that are simply [the result of employee] mistakes," he said.

4. Not encrypting data
Without encryption, data sent and received via email is literally "like putting an ad out in the paper" and for anyone in the public to view, said Montgomery. He added that some users wrongly assume the data they send is private and cannot be seen by the public.

"People who want to read your e-mail will have to look for it to find it, but they can find it if they want to," he said.

"There is a level of protection only if people use encryption in their e-mail, [but] most people don't," Montgomery said.