Top 10 Reasons Computer Security Fails

With computer security being so critical to people’s daily lives and failures being so prevalent, one might wonder why this is happening. Here’s my take on what’s led to the insufficient protection applied to so many computer systems.

  1. Most people don’t want to know about security and would prefer to live in the belief that they’re safe. The truth is that most people shouldn’t have to be concerned about their security and privacy. Of course this perspective does not apply to people who are responsible for computer systems. Yet I often see it implied in organizations’ priorities.
  2. Many organizations don’t recognize their risk. They believe they won’t be targets if they’re not the government, critical infrastructure, or a defense contractor. The truth is that every organization with money is a target because some people would rather steal it than earn it.
  3. People have a false sense of security. They believe they’ll be safe if they follow regulatory requirements from Sarbanes-Oxley, PCI, or HIPAA. To be sure, these regulations have raised the bar on security and have driven much of the IT security business for the last 15 years. They establish a baseline level of security based on best practice, which naturally drives “security by checkbox.” This leads to a rather static security stance and often doesn’t account for organizational risk.
  4. Even when organizations recognize their risk, they accept a certain amount of exposure. I once ran into a financial organization with a data system that didn’t require a log on to execute transactions. I asked if they had any fraud and suggested this was something worth fixing. They responded that they saw several hundred million dollars of annual loss on the system, probably to organized crime, but it was too much trouble to change. The “leakage” was considered acceptable for the amount of money going through the system.
  5. Attacking is easy and defending is hard. The attackers have the advantage of the initiative and defensive security must cover everything. The security team must protect environments with many complex systems that may be integrated in dodgy ways. Business requirements may preclude software upgrades that include critical security patches.
  6. Security is expensive. There’s constant pressure to reduce cost and business leadership often assumes the computing environment is safe (see item #1). Money spent on security isn’t going to help the CIO’s bonus so there’s little incentive to spend on it – until there’s a huge breach.
  7. Security isn’t sexy. People are told they should do more to secure their computers just like they should floss their teeth, change the filter on their furnace, and clean the cobwebs. Folks are busy and it’s easy to put the chores of daily life on hold, especially if there’s something fun going on. Computer professionals are no different.
  8. Security is hard. There are many moving parts, each of which depend on each other in complex ways. This is hard enough to manage when software is new and becomes even more so as it ages. One often runs into “spaghetti code” where change upon change has been made to a program to the point where nobody quite understands how it works. The more recent move to microservices has made this both better and worse because it allows more powerful programs to be written but at the expense of transparency. Engineers are often unaware of how the programs actually work and this opacity leads to vulnerabilities that can be exploited. All of this gets even harder when you stitch applications together like enterprises do. Yet most enterprises don’t look at software systematically, nor do they actively work to reduce the complexity that increases costs and creates vulnerabilities.
  9. Computer managers have given up and won’t take responsibility. There’s an attitude going through the security industry that hackers can’t be stopped and it’s only a matter of time before a system is hacked. This is probably true at some level, but it shouldn’t excuse a lack of effort. I’ve consistently heard CIOs looking to shift blame to staffers for breaches or buy insurance, neither of which changes behavior of bad actors or protects computers, let alone the people using them.
  10. Management isn’t held accountable. The common response from hacked organizations is to buy their customers credit monitoring for a year. At one time my credit was covered by three of these policies due to hacks. Target, Premera, Kmart, Anthem, Neiman Marcus, OPM, Home Depot, T-Mobile/Experian, and Equifax represent a few organizations who have taken this approach. It’s interesting that these credit monitoring services are provided by companies like Experian and Equifax, who have been hacked themselves. It’s more interesting that organizations are finding this is sufficient to get them off the hook, even when they’re not all that helpful.
  11. And a a bonus 11th item: The IT industry needs to do more. Most security professionals know about these challenges and lament that not enough is being done. They complain about management misunderstandings, budget constraint, and a lack of interest. They feel placed in a box they can’t get out of. This may be true, but it’s also an excuse. We security professionals are hired to protect environments because our employers don’t understand the details. It’s our collective responsibility to explain situations so others take the situation seriously. If people don’t listen then we must find better ways to communicate the risk and motivate action. The industry has made big strides and frameworks like the NIST and ISO frameworks are fantastic steps but they are insufficient by themselves. Organizations must be motivated by security professionals to adopt and apply these frameworks. Then organizations must realize that simply adopting a security framework does not make them secure. I’ll talk more about this next time.