5 takeaways from OnBase Security Week
During the recent, first annual OnBase Security Week, attendees from within Hyland had multiple opportunities to learn or enhance their knowledge about IT security. Participants joined short, content-rich presentations, practiced security skills alongside knowledgeable security resources, and challenged themselves by attempting the daily “Capture the Flag” task.
Much to the chagrin of one attendee, we didn’t go outside and play Capture the Flag. But it was a fun way for attendees to use what they just learned to complete activities that changed daily.
Whether the attendees were novices, intermediate-level, or security experts, the week delivered a fantastic conference-style event with something for everyone.
As an attendee, I learned a great deal about security during the event. Here are my 5 key takeaways:
1. Know of the OWASP Top 10
If you’re already doing a Google Search to understand this heading, you get the idea. The OWASP Top 10 is a consensus composed by security experts worldwide regarding the most critical security flaws in web applications. The list critically ranks risks and presents the information in a way that allows non-security personnel to speak with – and understand – security personnel.
If you work in IT security, you don’t need to know each of the ranked risks, but you should at least be able to say you’re familiar with the list and that your organization makes efforts to design and develop products with it in mind. Since your customers know of the OWASP Top 10, you definitely should.
2. Be proactive, not reactive
Purchasing a car comes with extra expenses. You need a valid license, registration, and an insurance policy. Driving without these items increases your liability and risk. If you’re involved in an accident, your costs are exponentially higher than they would have been if you simply would have secured these items upfront.
Application development is the same. Implementing security can be costly for your organization, but recovering from a breach is much more expensive. The Ponemon Institute indicates that the average remediation after a breach is 31 days and costs $20,000. Consider, also, that this is only a monetary assessment of remediation. Recovering from a breach also involves rebuilding your brand and reputation.
But, when you proactively approach security, you mitigate your risks and significantly reduce any long-term costs – especially any erosion of trust with your customers or vendors.
3. Out with the old, in with the new
Are you still thinking about, talking about, or using SSL? Is Windows XP still deployed in your organization? Do you avoid upgrading installed software to its newest version?
If you answered yes to any of these questions, you are increasing your organization’s security risk.
Technology is rapidly changing. But the security landscape evolves more rapidly than technology. This poses quite the dilemma for organizations.
While it is unrealistic from a business perspective to adapt and evolve in line with every new technology, it is essential for your security personnel to keep up with the evolving landscape and make suggestions to mitigate risks from obsolete technologies. A key here is to identify and remove or replace obsolete technologies as quickly and efficiently as is feasible.
4. Security is everybody’s job
No one is excluded from security. You are responsible for some portion of security whether you are designing, testing, or simply using your organization’s software or technology.
So if you design software, you should code with security in mind. And, when testing, you should think about security and including it in regular tests keeping in mind the concepts of STRIDE.
Do you write passwords down? Do you walk away from your computer and leave it unlocked? Do you open attachments from unknown sources?
Knowing security best practices for these scenarios and others – and sharing them with your organization’s employees – are all ways that you can ensure end users are using your systems in secure manners.
5. Training is key!
Effective security isn’t about complexity and sophistication. The weakest link in any security foundation is someone who makes poor decisions when using technology. Remember that person we just talked about who wrote her password down or left his computer unlocked when he went to lunch?
Actions like that can be catastrophic for even the most secure implementations.
Training your staff on basic security best practices and principles reinforces the weakest link in the security framework and is one of the most cost-effective ways of reducing security risks. Also, events such as OnBase Security Week are excellent ways to engage and train a large number of users in a fun, interactive, and cost-efficient way. I look forward to attending this event in the coming years.
Those are my 5 key takeaways from OnBase Security Week. I hope they shed light on the sometimes dark areas in the security realm.