This has not been a banner year for information security.
From a stolen laptop full of Social Security numbers to a website that lost oceans of credit card data, commonsense security procedures seem in short supply. "Almost without exception we’re living in a world where no one thinks to lock the stable doors until the horses have escaped," says David Friedlander, a senior analyst at Forrester Research.
CIOs can spend millions on firewalls, intrusion detection systems and whatever else their security vendors are selling, but when that VP of marketing decides to sync his work laptop with his unsecured home PC—and there’s no policy or training to make him think twice—your million-dollar security efforts become worthless.
With that in mind, here are 10 common security ailments and 10 practical remedies. They’re easy and inexpensive, and you can do them right now. All involve some form of user education and training. "How do you stop stupid mistakes?" asks Mark Lobel, a partner in the security practice at PricewaterhouseCoopers. "It’s education and security awareness—basic blocking and tackling—and it does not have to cost a fortune."
The Hole | A company familiar to Adam Couture, a principal analyst at Gartner Research, searched its Exchange servers for documents called "passwords.doc." There were 40 of them.
The Problem | Uneducated users. "Some of these [mistakes] are so obvious that you think, ‘Nobody would do that,’" Couture says. "But you give people too much credit." Any hacker, malcontent employee or grandmother with a minimal amount of computer know-how could unlock those documents and ravage your company’s most sensitive applications (not to mention all of your employees’ personal information).
The Solution | First, CIOs need to acknowledge that there might be passwords.doc files on their networks, find them and destroy them. Then, via e-mail or a companywide meeting, they need to explain to users why keeping a file like this on the network is a really, really bad idea.
Ever Heard of "bcc:"?
The Hole | On June 13, 2005, the University of Kansas Office of Student Financial Aid sent out an e-mail to 119 students, informing them that their failing grades put them at risk of losing their financial aid. The e-mail included all 119 students’ names within the e-mail address list.
The Problem | Besides embarrassing their students, U. Kansas administrators may have violated the Department of Education’s Family Education Rights and Privacy Act, which protects the privacy of students’ grades and financial situations.