Security layers and guidelines are usually seen by the every-day-user as necessary evil. However without a good mindset no amount of guidelines or even technical security measurements will protect the integrity of the server and data. The thought process often goes along these lines:
- I will not get attacked!
- I don't have any data that need protection!
- Why would someone be interested in our data?
- My actions can't have severe security implications!
- What could actually happen to me personally?
- But it is so annoying and time consuming!
Here are some of the responses to such a mentality:
- It will happen! Hundreds of attacks get executed on simple personal web pages which really don't have any interesting data on them. Many attacks are automated and don't even require any man power, starting with simple password attacks.
- Just because data seems to be not important doesn't mean other people will think the same (especially your clients or business partner).
- "Some people just want to watch the world burn" and others hope to gain some monetary benefit from either returning the data or not publishing the information from you on the internet.
- Unless someone has a fundamental IT understanding of the network, permission and application structure it's most definitely not possible to know where seemingly minor security infringement could cause severe damages. Even server administrators or software developers may not see the implications in their own network/application at first.
- As an employee you could get fired for careless behavior or depending on your residence even face legal actions. As server administrator or company owner you'll most definitely be legally responsible for all kinds of security infringements (even if they are executed by your employees or indirectly caused by third parties).
- It is way more time consuming calling your employees, customers, suppliers that their information have been compromised. In case of data loss you'll have to pay large sums for data recovery, potential legal fees etc.
A guideline and training for IT security and user data is a must for every person but it's much more important to live these security guidelines in a top down approach. Only if the management has a positive attitude towards them the other employees will follow. As soon as someone doesn't understand a certain guideline make sure to explain them the reason behind it and if you hear someone complaining about it try to change their opinion by conveying your positive view. Even by just agreeing that they are annoying the management or team leaders can undermine the integrity of the policy.