Pragmatic Information Technology Security

Properly trained and pragmatic security consultants, like the ones at New Signature, don’t use scare tactics to hype sell unnecessary services and products.  Instead we work with clients to understand their businesses, understand the real threats, take precautions to minimize the risks, and plan for the contingency if something does happen.   Most clients don’t need to worry about evil hackers gaining control of ICBMs in Nebraska missile silos. They should be far more concerned about laptops containing unencrypted sensitive information being lost in an airport,  or credit card information sent in a plain-text email over an unencrypted wireless network.

A good rule of thumb to remember is that no security system is perfect. Given resources (time/money/etc) any security system can be compromised. The best example of this in action is ordinary door locks. Most locks, rather than claim they are 85% effective, simply have a level affixed to them that translates to a discrete amount of time. Some locks can be compromised in seconds, others in minutes. Obviously, these compromises are by professionals, and the numbers come down year after year (so a lock with a 5 minute estimate one year might only be 30 seconds the next year). The general point to take back is that if two locks costs $10 each, and one lasts twice as long under duress, everyone would choose that particular lock. Yet when the two locks cost $10 and $100, the risk equation alters significantly.

There are security standards that IT systems can be placed under, (to mirror the lock example) but in general, most IT business systems aren’t as secure as their physical counterparts (file cabinets, restricted building areas, etc). That’s why it’s always important to be skeptical when salespeople make grandiose claims of security. Unlike a file cabinet, often a layperson will have to take someone’s word that a system is secure. Nothing could be riskier.

On the flip side, because vendors can’t sell security solutions unless there’s a risk to mitigate, they often will play up security flaws that rely upon complicated vectors to spread (users having to jump through several hoops) or narrowly defined parameters (computers who are several service packs behind and have a particular set of applications installed) that eliminate most groups. Often, security vendors will begin an exploit example by disabling the built-in security processes and then running their “dangerous” code. All of these are misleading tactics designed to scare consumers into purchasing more security products.

By creating this climate of fear, security vendors also encourage ignorance of real threats. Instead of helping clients focus on legitimate security risks (social hacking, privacy concerns, data loss and phishing) they result in needless counterproductive communications (urban legends, evil hackers, worries about ‘cyber-war’, etc) that play well in the media but don’t educate the general public.

New Signature applies a pragmatic, no hype, approach to security.  Interested in this type of refreshing change of pace?  Give us a call and schedule a free network security audit that we offer to new clients.