If you cant afford it, dont do it(breached.digital)
breached.digital
If you cant afford it, dont do it
https://breached.digital/if-you-cant-afford-it-dont-do-it/
15 comments
In many of the companies I worked for, security did come cheap — enabling 2FA on SSO, not collecting data they didn't need, invalidating employee session tokens every 24 hours instead of 90 days, and so on. I am talking about cheap as changing a setting is. But they just ignored all those good practices anyways.
Most companies don't implement good security practices because of the inconvenience, not the cost.
I'm not sure it's even that more inconvenient to do what I suggested.
2FA is probably the biggest inconvenience, but the 2nd factor doesn't have to be TOTP, it can be the employee badge, or biometrics (fingerprint). If it's TOTP, then there are credit card-sized cards with a button and a display. Press a button, get the token. Keep that card at the workplace such as a work desk at home or a the work car, and hacking that account online becomes very difficult.
Session timeouts are not that inconvenient. The employee needs to log in every day, but the session duration can be made 12 hours, so they won't need to log in the same day twice. This is still so much better than 90 day defaults in many places.
And not collecting data to reduce risks is easier than collecting it. It's more of an ethos thing than a cost, unless the company is collecting creepy amounts of data already and that needs to be properly dealt with.
2FA is probably the biggest inconvenience, but the 2nd factor doesn't have to be TOTP, it can be the employee badge, or biometrics (fingerprint). If it's TOTP, then there are credit card-sized cards with a button and a display. Press a button, get the token. Keep that card at the workplace such as a work desk at home or a the work car, and hacking that account online becomes very difficult.
Session timeouts are not that inconvenient. The employee needs to log in every day, but the session duration can be made 12 hours, so they won't need to log in the same day twice. This is still so much better than 90 day defaults in many places.
And not collecting data to reduce risks is easier than collecting it. It's more of an ethos thing than a cost, unless the company is collecting creepy amounts of data already and that needs to be properly dealt with.
You underestimate the laziness of the average employee. I've worked at a company that removed 2FA because upper-level management didn't want to have to re-login once/week.
Yes, it does become complicated when the management are the laziest. The average worker will do what they are asked to for information security.
That was hilarious, I don't like the white page background.
[deleted]
[deleted]
[deleted]
The last line: "greed, ego and hubris" -- sums up why managers do not heed warnings and advice, including this one.
And then what happens when you competitors do that sh*t and bankrupt you before they are killed by ransomware?
Stop moralizing what is fundamentally a systematic problem.
Stop moralizing what is fundamentally a systematic problem.
+1 for inclusion of Aussie Dollar coin.
when engineers struggle to make rent, what is everyone else doing to survive?
It genuinely makes me wonder
It genuinely makes me wonder