Many of the security disasters in today’s enterprises are born not of brilliant cyber villainy, but through the sort of simple mistakes that employees make when rushing, taking shortcuts, or generally just getting lulled into security complacency. When you read through the major breach stories, there is usually something at the root that was eminently avoidable.

 

Here are ten reminders that can help your company stay out of the headlines — and the courtroom.

 

1. Remember the “KISS” principle – Keep Information Security Simple. Security should not interfere or overcomplicate work. The intent of security is to ensure that you protect your staff, your important information, and the important information of your clients. Security should help you get your work done in a safe manner. Without good security, your people and information are at risk, and no one wants that. Eighty-five percent of security is good old common sense. Don’t leave that sensitive client data in your car in the hotel parking garage. Don’t work on that client project on the airplane; you know that guy in the seat next to you is looking. No one wants to hear the words “upset customer” and “lawsuit” used in the same sentence.

 

2. “Password” is not a good password. Use good, strong, passwords. Use eight lower and upper case characters (a-z, A-Z), numbers (0-9), and special characters (!@#$%&*_-.,). Don’t use a version of your user ID, and don’t just use words out of the dictionary — make it harder than that, but don’t make it too complicated to actually remember (refer back to the KISS principle). Combine words and add extra characters. Fuzz3!ball is actually a pretty good password (don’t use it!), and so is OAK1rdrs* (don’t use that one either!). And don’t ever, ever, share your passwords with any co-workers.

 

3. Hate viruses, worms, and spyware. You all have anti-virus software on your computers, or should. Even recent surveys say this is still not universal. When you have it, this software was set-up by IT to update itself to make sure you have the latest software, and your systems are being scanned regularly, or as deemed appropriate. If you want to scan more often, schedule more scanning, but if you don’t know what you’re doing, don’t muck with it! Anti-virus software is one of your best lines of defense against the steady stream of viruses and worms with which we are faced. Besides that, know what you are doing in the real world. Don’t open that random e-mail, and don’t just download stuff without absolutely knowing exactly what you are downloading.

 

4. “Encryption” is NOT a dirty word. Encryption technology is designed to help keep sensitive information safe, and we all want that. If that lost laptop had been protected by strong encryption, would <insert bank of the month name here> bank have lost 300,000 records? Use system and/or disk encryption to protect your cool stuff. Products are available to protect your data, especially mobile systems, and do so in an operationally practical (think “easy” — remember KISS) manner.

 

5. Lock your screen. That “screen saver” doesn’t just protect your screen from burn-in. It helps keep someone else from messing with your computer when you’re not around. Was that you who hit some nasty site or was it someone else while you were in a meeting? Did you pull the new ultra top-secret product design down to your system? Or were you down the hall getting a new cup of coffee? Lock your workstation. Do you trust your coworkers? You’d like to think so. But would you stake your job on it? On all of them? Even that weasely-looking guy who sits down by the copier?

 

6. Don’t forget to lock the door. Some of your security worries would go away if you could guarantee who was, and was not, in your buildings or in what should be controlled space. Unfortunately, you can’t always (or, more properly, probably “don’t always”). Don’t let someone follow you through that badge-only door, especially the outside door, and don’t expect someone else is going to hold it for you. Pull the door shut on that internal lab. Don’t be a jerk about it, but be aware.

 

7. Pretend the police are watching. Don’t download the pirated software, or copy software from work for your home computer. Don’t download the pirated mp3 files. Don’t “borrow” that laptop. Some of these things are illegal, and some are questionable, but all open you to criminal prosecution and litigation.

 

8. Pretend your supervisor is watching. Do you really have time to balance your stock portfolio or manage your fantasy sports league at work? How long did it take you to book that trip to Cancun (airfare, car rental, resort, excursions…)? Just perhaps you would be better off doing that at home, using your own ISP.

 

9. Pretend your mother is watching. Or maybe your mother-in-law. We all use the Internet on a daily basis. We all know what is really appropriate for the work place, and appropriate probably doesn’t include porn sites, gambling, or online dating sites (especially if you are married). Would you do it if mom was sitting next to you?

 

10. Watch what you are doing. Everybody makes mistakes, and everything breaks. How long before even the best security program meets its nemesis? Do enough logging and monitoring of your environment that when something breaks, you can figure out what happened, recover while minimizing any damage, and make dang sure it never happens again. Ever. This doesn’t mean you have to be monitoring the world (think back to KISS), but appropriate application of logging, log monitoring, host and network intrusion can literally save your skin.

 

In general, never think that you are anonymous on the Internet; always assume a corporate spy or hacker is lurking nearby, and be aware of the simple rules you probably know but which often fall prey to complacency.