I know this is basic stuff, but apparently we still need education on choosing a good password. It amazes me to know that if I ever wanted to log on to a client’s workstation, I can usually do this by entering their last name, their spouses name, their pet’s name, or just type “password1.” If these methods fail, I could just read the yellow sticky note attached to their computer or lying in their desk drawer.

Want to have something like this at your company? We will send you a free set of “Don’t write your Password on this” Post-It notes for FREE. Simply, contact us and we will ship them out!
Forget worrying about genius hackers with brilliant techniques for breaking into your system. Why would a hacker need to know how to break into a system when they could simply logon, and not even risk detection? No matter how strong your security is, it can always be trumped by a poorly chosen password that is easily susceptible to brute force attacks or social engineering. So let’s go over the rules again.
Your password should not be:
What your password could be:
This is an issue I often encounter with companies who want us to make sure they meet compliance standards like HIPAA or PCI DSS. They either think security and compliance are the same thing, or are only focused on compliance and not security. While compliance definitely improves the security of an enterprise, it has the side effect of creating a false sense of security. Being compliant is simply not the same as being secure.
Compliance is like a snapshot of good, not great, security practices. But unlike compliance, security isn’t a goal, it is a process – and it is ongoing. There is no secure place in the world; there are only constant efforts to make things as secure as possible.
Have we learned nothing from the recent breaches of Heartland Payment Systems, Inc and RBS World Play? Those organizations passed their PCI audit scan, yet hackers were able to capture hundreds of millions of transaction records in one of the biggest breaches in history. Were these organizations compliant? Yes. Were they secure? Apparently not.
It’s often the attitude towards security that is to blame. Enough money will be provided to meet each compliance requirement, but sometimes not a cent more towards the security budget. If a security expenditure is not required for compliance, it is a low, or even nonexistent, priority.
But security isn’t just about checkmarks on your compliance audits and ignoring practical security concerns along the way. Here is a great quote from Bill Seiglein regarding the difference between being compliant and being secure: “There might be a requirement for a door and so we install a door. Unfortunately the door is pointless without a lock but the requirement did not ask for a lock and so we did not get one.”
The correct attitude to have is to focus on actual security first and compliance second. Are sensitive data and systems protected? Is each unique risk of the enterprise addressed and properly managed? If so, then that’s great. Now you can ask what must additionally be done to satisfy compliance requirements? More often than not, you’ll find you have already done them.