Top 10 Dumb Computer Security Notions and Myths - Security - News & Reviews - eWeek.com
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Well Do Security Later

Well Do Security Later
Written By
Fahmida Y. Rashid
Fahmida Y. Rashid
Nov 23, 2011
3 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More


Well Do Security Later

1

This kind of thinking is very common during a merger or an acquisition or when the company is rushing out a new product. Since systems and networks are continuously evolving and getting more complicated, it is always difficult to retrofit security at a later date. Security should be considered from the start, not afterward.


Well Do Privacy Later

2

The same is true regarding the erroneous thinking about security: It might seem more important to get a new Internet service up and running and to start building up the online buzz before all the privacy policies and protections are in place. Organizations have to comply with a mishmash of regulations to ensure user privacy, so it’s best to have all the ducks in a row before the regulators come knocking.


Encryption Is Enough

3

After practically every data breach, the organization is criticized for not encrypting the data. While it’s important to protect sensitive data, it’s important to think about the architecture and make sure the network is still secure. Insiders have to still be monitored to ensure they aren’t abusing their privileges. People expect encryption to solve all problems, forgetting that implementation flaws, such as improperly storing the keys, can render encryption moot.


Advertisement

One Tool to Defend Them All

4

Pick the security technology, and there’s someone out there convinced that it is the cure-all and the only thing needed for security utopia. It doesn’t exist. While there are excellent antivirus, intrusion prevention, network monitoring and forensics tools available, none of them can do everything. Security tools are specialized, and there is no silver bullet. Focus on layered security, not a one-size-fits-all approach.


Security Must Be Perfect

5

Some executives have the attitude that if security can’t be guaranteed, then it’s not even worth talking about, putting the security professional in a position of having to downplay security risks or over-promising security. Organizations need to have metrics to measure risks and decide when it’s “good enough” and focus on other areas. Security is about balancing protection and cost.


Security Is Easy … DIY Security

6

It’s easy to look at the landscape and available technology and conclude that it can’t be that hard to take charge of security. However, it’s best to let people who have done it many times and know what they are doing take charge of security, instead of handing it over to someone who may not know how to deal with rough spots or unexpected situations. “How hard is that?” Plenty hard. Leave security to the professional.


Find and Patch Is Sufficient

7

While regular testing is necessary to look for and patch flaws, it’s not a replacement for having security by design. All penetration testing is doing is plugging holes to harden a broken product, which forces the organization to always be reactive. True security is making sure the common issues are not in the application in the first place and addressing subtle, more complex problems that are discovered down the road.


Advertisement

We Arent a Target

8

Wrong! Practically every organization, big and small, in all industries is a target. The threat actor can be the frustrated insider, disgruntled ex-employee, a person out to make a political point, a cyber-criminal looking for the fastest way to make money or corporate spy. The Sonys of the world aren’t the only ones under attack. Small credit unions and mom-and-pop operations are targeted, too.


No One Knows About It

9

Security by obscurity sounds good in theory. If the attacker can’t just Google the software you are running to find known vulnerabilities, then surely, it’s safe from attack. The most common attack vector is cross-site scripting and SQL injection, attacks that are easily preventable, but often overlooked by developers. If an attacker really wants to get in, they will do the research necessary.


We Just Need to Train the Users

10

It’s another idea that sounds good in theory, but it’s no excuse to skimp on the technology. Users need to be taught to not click on dodgy attachments, but they also shouldn’t be seeing those files in their in-box in the first place. It’s difficult for the savviest Internet user to identify some of the latest scams. While technology can be patched, the human brain can’t.
Fahmida Y. Rashid
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information