7.Train and Mentor

One of the commonest causes of security breaches is human error, typically caused by a lack of security knowledge, training or failure to follow security procedures.

Without a focus on the human side of security, no amount of risk evaluations, network intrusion detection software or other technologies is likely to be effective. CIOs should take the time to discover how many of their people have security certification or at least a minimal foundational knowledge of what IT security is all about.

Security is an ongoing process, not a one-time event. With new threats evolving every day, analysts say it is vital to train staff effectively in how to watch out for certain threats, or to protect against threats, and to update that training at least at half-yearly intervals.

For instance, one of the biggest security threats comes from social engineering: the deliberate attempt to manipulate authorized users into helping a hacker gain access to systems protected by IDs and passwords. Too many hackers have the door to the network opened to them by naive users after phoning them pretending to be a systems technician and asking for their system password.

Social engineering works because most people in any computing environment are insufficiently aware or knowledgeable of IT security. You need to make sure everybody in your organization is aware of all the new threats and how to defend themselves against them. How many of your people would know if they were being socially engineered? Are there training programs in place to alert them to the risks?

"When we find a flaw, part of our response is, 'this is what NOT to do next time', says Security Innovation's Whittaker. "Every bug is an educational opportunity. We teach our customers how to listen to their bugs and not only fix the issue, but keep from writing that kind of bug again. It sounds simple, but it takes the right mind-set and training to get it right."

8.Use Biometrics

One critical piece of information that every executive needs to know about information security is that the cost-effectiveness and protection provided by password-based networks are decreasing. Passwords are easily lost or deciphered, and there is significant cost associated with password maintenance. According to Aberdeen, the labour costs for configuring and maintaining password systems ranges anywhere from $100 to $350 per user per year, depending upon company size.

This has given rise to a new class of network logon devices that use biometrics - human characteristics such as fingerprint authentication, optical scanning and voice recognition - to secure physical and network access in the workplace.

In 2002 and 2003, revenue for biometric technologies grew more than 50 percent, to $US928 million, and is expected to continue at this pace with annual revenues forecast to exceed $US4 billion by 2007, according to International Biometric Group, an industry consulting firm. Desktop fingerprint authentication readers, such as the biometric keyboards and desktop pods, are the most common type of biometric device used for network security, accounting for more than 60 percent of the market.

"In the consumer space, in which phishing is the big market driver now, it's really a consumer protection issue based on the fact that in order to gain access to systems today we still require users to manage something secret," BioPassword's Wood says. "We require them to have a password." He says part of the answer may lie in software-based biometrics that uniquely identifies people based on their typing rhythms and patterns.