Skip Links

Five Security Missteps Made in the Name of Compliance

By Bill Brenner, CSO
February 23, 2010 01:22 PM ET

CSO - Compliance pressures often push companies to make security improvements they wouldn't have tackled otherwise. More budget goes toward technology needed to protect customer data. New policies are created to rein in what employees do online with company machines.

But there's a dark side to this story.

In the mad rush to comply -- whether the stick takes the shape of PCI DSS or the Red Flags Rule -- companies sometimes make decisions that weaken their security. Poorly chosen and deployed IT security technology is perhaps the best example; for more on that, see " How to Make Things Worse With IT Security Technology.

Here are five common mistakes as related by IT security practitioners, analysts and consultants.

1. How to Botch Multi-factor AuthenticationMany companies have opted to ditch the easily-compromised username and password approach in favor of multi-factor authentication. When done right, a much more secure log-in system is in place. But when it's deployed in a haphazard, hurried fashion in the race to meet a deadline, it can be worse than doing nothing. Niels Groeneveld, information security engineer for a global telecommunications company, has seen such failure up close when trying to help customers. The hurt begins when the implementers decide to make exceptions to the rules everyone should be following.

"I've seen a company implementing multi-factor authentication worldwide in their desktop environment for compliancy reasons. They've spent tens of millions (at least) on this project," he said. "The company added an escape route, because employees often forget their tokens, to ensure they can also log on without those tokens, using their regular username/password combination."

The result, he said, is an environment that is no longer compliant, with multi-factor authentication that doesn't offer real security because it can be circumvented, and "no possibility to apply the concept of non-repudiation" when the token is not used.

2. Look, Ma, No Research!The first example is but a symptom of a larger problem. Companies under the compliance gun are so eager to install technology that will win them a passing grade that they forget to do their homework before going to the vendor.

Jonathan Tranfield, security and risk practice manager and principal at Brookhaven Advisory Services, has seen companies make this mistake.

"I am seeing stressed CSO's throwing in vendor products in a hurry to meet a compliance deadline without adequate research, change management and release management. I have been at two clients lately where this has caused large issues including one major outage at a bank."

3. Retrofit FailThere's a very good reason companies need to be doing their homework when making the purchases described in the second example. Bolting a new security tool onto existing infrastructure can be a lot like trying to hammer star-shaped pegs into oval-shaped holes. It's an old problem many companies fail to learn from, said Ed Ziots, network administrator for a company in Providence, R.I.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News