IT Security is one of those things that many myths and half-truths have appeared. Now as a non-technical person you might be wondering “but why does this interest me?” The reality is security is often looked at by non-technical people in terms of the cost to implement, rather than a more accurate what is the cost of not implementing.
Over the years I have read a lot of advertising material from various companies. Some of the claims made in them have gone from a basic misunderstanding of how security works to just some pure A grade bulldust.
The following 4 myths are things you need to be aware of when reading advertising material from database vendors. This is hardly a comprehensive list, but if you are a decision maker reading over sales pamphlets these are certain a few good things to remember.
Myth #1 – Needing a password means it is secure
One of the worst assumptions which can be made about a system is that because it needs a password to log in, it must be secure. Without getting technical, that password at the gate is not even the tip of the security ice-burg.
Having a password at the gate is sometimes worse than having no password at all. How you ask? Well if you are like the majority of people out there, who uses 1 password for all their accounts, having a password sit on an insecure system means that any successful hackers will not only see all your “secure” data on that system, they will also have the password which will allow them to access any account in your name on any system you use.
Myth #2 – Logos from security companies mean the site is secure
I’m sure you’ve all seen the sites which have the “Secured by ABC” or “Protected by ABC” logos. Often they have pictures of padlocks next to them and a whole lot of gobbly-gook about the security settings used. The reality is that placing these images onto a website is child’s play. The images themselves hold no meanings, and whilst companies like Verisign and RSA spend a lot of time making security products, nothing stops a less than honest company using those logos without authorisation.
Myth #3 – Encryption means the data is secure
Encryption is one of those things that works’ only if it’s been done properly. I’ve seen some marketing departments come out with absolute crazy lies about the encryption which their websites use. How did I know they are crazy lies? Because what they said they do, are technically impossible or have holes big enough to drive a truck through.
There are some general rules to remember when a company is promoting its encryption.
- Anything more than a trivial amount of encrypted data cannot be quickly searched.
- If the company has the ability to reset your accounts password, then they can also decrypt your data any time they like as well.
- Weak encryption is useless, with some weak encryption algorithms able to be broken in seconds by even moderately powered desktop computers.
Myth #4 – We’re too small to be a target
This is often the excuse used by smaller IT companies and software houses when they try and justify their lacklustre security the reality is that any one on the web is a potential target. Certainly financial institutions, large multinational companies and government agencies still remain the top prize for the hackers of this world a large number of the successful attacks are against the companies which consider themselves too small to be a target.
This is not to try and scare you off from using IT systems in your business, in fact quite the opposite, I’d love it if you were using an IT system in your business, and I’d love it even more so if that IT system came from us. It just when choosing a system, security needs to be as much a consideration as how cool the system looks and how wonderful its features are.