No security measures, processes or procedures are failsafe, but too often vulnerabilities arise when straightforward security steps could have prevented them. Roger G. Johnston, a member of the vulnerability assessment team at Argonne National Laboratory, presents a number of all-too-common blunders that leave organizations at risk, in an article by Bill Brenner at CSOOnline.

While having no security policies seems like the worst option, having poorly thought out policies can increase an organization's vulnerability, according to Johnston. If the rules make employees feel like they are being treated like children or like the enemy, they can turn them into insider threats.

In a similar fashion, insipid HR policies can turn good employees into bad ones. Phony grievance processes, bully managers and poor expectation management can generate disgruntled workers. It's also a mistake to assume that low-level employees pose no risk.

There are several reasons that organizations make these kinds of security mistakes, according to Johnston. Committees that don't know what they're doing often make the rules; too much faith rides on procedures and authorities; and "security theater" is easier than prevention.

"In the interest of following the American way, we will do nothing until there's an incident. Then we will massively overreact," Johnston said.

For more:
- see Bill Brenner's article at CSOOnline

Related Articles:
Consultant: Companies running critical infrastructure take months to patch holes
Tests show fresh malware often gets past security programs
Thinking about security from the beginning