Several big stories have come out in the recent weeks regarding the latest round of security breaches. It seems to me that there is a template somewhere in the hidden depths of the newsroom that tells these TV journalists what to say. Each time I see a story the tips are pretty much the same with one of the steps being to change your password and don't use the same password on multiple sites. These are great tips but are no doubt becoming white noise to people. Heartbleed did get a different reaction but I would say it was more anger at the hardware manufacturers. In my experience as a security analyst I have reached a lot of conclusions on common practices of businesses and individuals. Here are a few.
1 - People Will Use Easy Passwords if Not Restricted by Company Policy
2 - People Will Repeat Passwords on Multiple Applications if Possible
3 - Small Businesses Typically Rely on AV Software for Security
4 - Small Business Often Request Security Features to be Disabled for Ease of Use
5 - Fix Only What is Broken
I am not an advocate for security functions that require a lot of additional work on users. I also don't believe a 64 character password is practical in application. The problem with the design of most network systems is they are not designed from the ground up with security and usability in mind.
Here is an example. The average network either allows or denies the ability to download executable files. But simply making that call on a global level is not practical. Network administrators need the ability to download files, users do not. So a network should be designed as such. Then when something needs to be installed it can be done safely and securely without reconfiguring a users browser to open it up. Once you start punching holes here and there eventually you have a network with as many holes as chain link fence.
Recently Microsoft found a major issue in IE. The issue was so bad that they issues a patch for the now end of life Windows XP. People were scrambling to patch this hole. However, if you had an IPS appliance in place or one on your firewall you were protected right away. The Administrators who did were able to test the patch and deploy in an orderly fashion. No good comes from scramble and reaction.
The only way to start to build a secure business is to see where you are at right now. Security assessments are the best way to do this. Stop reacting to issues that pop up and be proactive in your approach. Security is beyond passwords and anti-virus.