Sure, you've got a million-dollar security battleship, but it's full of. . . 50-Cent Holes!
- Common security problems and how to fix them
- Steps for preventing future holes
This has not been a banner year for information security.
From a stolen laptop full of Social Security numbers to a Web site that lost oceans of credit card data, commonsense security procedures seem in short supply. "Almost without exception we're living in a world where no one thinks to lock the stable doors until the horses have escaped," says David Friedlander, a senior analyst at Forrester Research.
CIOs can spend millions on firewalls, intrusion detection systems and whatever else their security vendors are selling, but when that VP of marketing decides to sync his work laptop with his unsecured home PC - and there's no policy or training to make him think twice - your million-dollar security efforts become worthless.
With that in mind, here are 10 common security ailments and 10 practical remedies. They're easy and inexpensive, and you can do them right now. All involve some form of user education and training. "How do you stop stupid mistakes?" asks Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. "It's education and security awareness - basic blocking and tackling - and it does not have to cost a fortune."
Save As . . .
The Hole : A company familiar to Adam Couture, a principal analyst at Gartner Research, searched its Exchange servers for documents called "passwords.doc". There were 40 of them.
The Problem: Uneducated users. "Some of these [mistakes] are so obvious that you think: 'Nobody would do that'," Couture says. "But you give people too much credit." Any hacker, malcontent employee or grandmother with a minimal amount of computer know-how could unlock those documents and ravage your company's most sensitive applications (not to mention all of your employees' personal information).
The Solution : First, CIOs need to acknowledge that there might be passwords.doc files on their networks, find them and destroy them. Then, via e-mail or a companywide meeting, they need to explain to users why keeping a file like this on the network is a really, really bad idea.