“Worst Practices,” or praying at “The Temple of Best Practices.”
Few best practices are universal.
An example of a best practice might be considered locking your car when parking in a big city. Sounds reasonable, but does it apply everywhere?? Well, not for a friend of mine who lives in New York City. At least in his neighborhood, a locked car is considered worth breaking into. An unlocked car with nothing in it and a sign in the windshield that reads “No Radio” is far safer.
Best practices are NOT a substitute for thinking and common sense.
A well accepted best practice is to protect your organization’s network from the Internet with a firewall (we’ll ignore the fact that a few organizations have very effective security without a firewall, e.g. MIT). I’ve seen several places where this best practice has been followed without any application of common sense. For example, a couple months ago I saw a firewall that was actually configured to let all network traffic in and all network traffic out! Yes, they had a firewall, but it accomplished exactly nothing. More commonly I see firewalls with so many holes that you can drive a truck full of Swiss cheese through them.
Best practices are NOT static.
Best practices do have value, especially when they are derived from a large cross section of organizations and experiences. They are a good starting point for doing things right. But the world changes regularly and essentially everything evolves. Best practices must be continuously re examined and re validated. This is especially important in a rapidly changing field like information security.
A big part of being successful is avoiding major mistakes.
A major component of success
involves avoiding making any major mistakes. Instead of focusing
exclusively on implementing “Best Practices,” I suggest avoiding
“Worst Practices.” You can do almost everything perfectly, but if you
get one thing horribly wrong you can negate everything. A soldier
greatly increases his chances in a firefight by doing things right,
but one serious mistake and his odds of surviving plummet. An
organization can do all the right things in implementing effective
security, but a ten minute firewall misconfiguration can let a hacker
come in and establish a foothold. A company can build a great
reputation over many years, but one horrible incident can ruin that
Worst Practices in Best Practices
Practices to avoid like the
© Copyright 2002-2015, Demopoulos Associates