Secured Mobile Device. Tablet Computer with Security Concept on the Screen. Closed Padlock Concept. Mobile Technology Security.

In the course of my regular IT travels, I often run across folks who ask why it is so complicated to access systems remotely via VPNs, two-factor security, encrypted laptops, and other measures that we commonly take with clients.

The reason is simple: convenience must never overrule security. While we take every reasonable measure to simplify access and choose solutions that are as convenient as possible, some amount of inconvenience will be necessary.

Let's think about your house, for example. It is inconvenient to have a lock on the door. After all, it requires a key and we all lose those things! But without a lock, anyone can enter your house. The same can be said about networks. If we fail to use that key to lock and unlock it, the security is pointless.

So what happens when we choose convenience over security? Or worse yet,  when accidental incomptence/ignorance interfere with security? We get a situation like the one faced by Royal Sun & Alliance Insurance (RSA) located in the UK that has been handed a substantial fine by the Information Commissioner following the loss of the personal information of roughly 60,000 customers.

Not only is this a public relations nightmare, it is also a danger to the public because their information could be out there in the hands of cyber criminals.

So what happened?

An unsecured, unencrypted network attached storage device (NAS) was in use and contained the information on 59,592 customers as well as limited credit card details on 20,000 customers. Enforcement offices found that RSA did not have the appropriate measures in place to protect financial information.

How do I properly store sensitive information?

  1. Sensitive data, at rest, should be encrypted. Meaning, if the data is not in use or being accessed it should be encrypted. Everywhere. On laptops, desktops, servers, mobile devices, networks storage devices, compact discs, USB thumb drives, USB hard drives... you name it.
  2. Use a central security and access repository such as Active Directory.
  3. Monitor for suspicious activity and suspected intrusions. Act on it.
  4. Never permit anyone who is not qualified to secure a network to install, modify, repair, or tweak any aspect of it.