With results that will probably surprise no one (and warming the hearts of black-hat hackers everywhere), the US Government Accountability Office has published its findings on a recent security audit of the Internal Revenue Service. The summary reads like the report card every good parent dreads, “Needs improvement.” Despite having a comprehensive security plan (the development of which was funded by your dollars!) the GAO has found that the IRS has failed to follow through in many areas of implementing and enforcing that plan in various parts of its operation, and these failures have severely compromised the overall security of the very important data the IRS collects on all American citizens.
What this means for you:
As you might expect, the 31-page GAO report is not the most exciting of page-turners. I’ll save you the dry read with the “moral” of the story: having a security policy is only as good as how well it is enforced and maintained. It does your company no good to say that “All employees must use strong passwords that are changed every 60 days” if no one is checking to see if they are actually adhering to the policy. It’s actually much worse for your company if you do have a security policy, experience a breach, and then discover that the breach was due to lack of enforcement.
Don’t get me wrong – I’m not recommending against having a security policy. You should have a security policy, especially if you handle sensitive data of any sort, and you should be making every effort to enforce, update and maintain that policy on a regular basis. A simple security breach could cause untold damage to your company’s reputation, and even more so if you have to admit that it happened because you failed to follow through on your own company’s policies.