Feature Story

The Seven Deadly Enterprise Security Sins

While the security threat landscape has changed drastically over the last decade, in many ways the discussion about security, particularly at the popular level, hasn’t kept pace. High-profile breaches, attacks, clever workarounds and individual viruses grab headlines while more sinister, on-going threats often lurk below the surface, unseen and unheard of by an organization until it’s too late.

“We’re not in 1980 anymore: We don’t need to announce a new virus. There’s a new virus every 9 seconds,” said an exasperated Pierluigi Stella, CTO of Network Box USA. ”I would like to see those articles with a different slant: On-going protection, because there’s a new virus every 9 seconds … Push the issue that you should be running anti-virus on your machine.”

Stella argued that even spam, an everyday nuisance, is still an underestimated threat in the enterprise. ”People think that it is just a nuisance, but it is no longer ‘just a nuisance’ because criminals have taken control of the networks and are deploying threats via spam,” he said. ”If your anti-spam can’t catch Viagra spam, you should get a new spam filter, but the ones that are going through are going to fake websites, phishing e-mails, corrupt PDFs [that are really viruses].”

With that background in mind, the IT Watch Blog has compiled its very own list of the Seven Deadly Security Sins for today.

Wrath

One of the most prevalent security threats is former employees, particularly in an economy that has made mass layoffs common and jobs harder to come by.

“With the economy still in recession, employees that are made redundant may feel resentful towards their previous employer in a number of ways that may affect the smooth operation of an organization,” commented Paul van Kessel, global leader of Ernst & Young’s Information Technology Risk and Assurance Services practice. ”Increasingly, the employer’s IT system has become a common target and data theft is also prevalent.”

Never underestimate the danger of angry ex-employees (or even angry current employees). Witness the case of Terry Childs, who was convicted this year for refusing to hand over critical network passwords to the rest of the City of San Francisco’s Department of Technology. The employee said he had “grave concerns” about the competence of his peers, and the debacle is estimated to have cost the city upwards of $900,000.

Greed

Security, except for a very few select firms actually in the security business, will always be a cost center for the enterprise. Unfortunately, this HR-speak translates to “If they need a dollar, give them a dime.” That mentality, however, can often prove to be penny-wise and pound foolish, particularly if there’s a high-profile attack. Remember, the final tab for the TJX security breach in 2007 was north of $256 million, and possibly as high as a billion dollars.

But beyond bare compliance mandates (and sometimes not even there), organizations have a hard time parting with the necessary resources, in both money and attention, a holistic security strategy requires. One recent study in the United Kingdom found just one-third of businesses had adequate resources to ensure enforcement of security policies, according to these firm’s own security executives.

Sloth

Blame it on the anemic budgets mentioned above, or simply the fact that few organizations start developing security until after they have encountered a threat, but Sloth might be one of the most prevalent security sins, and it can have a devastating effect in forms large and small. That password policy you plan to start enforcing next year? Chances are good it won’t see the light of day until the boss’ secret code ‘1234′ is discovered by a novice sleuth who decides to start helping himself to sensitive data. Sure, your anti-virus definition files are a little out of date, but what’s the worst that could happen?

Well, a lot actually since new threats emerge every nine seconds (see above) and they can ricochet around the world faster than you can say “botnet.”

Check out the IT Watch Blog next week for Part II of the seven deadly security sins, or confess your own security trespasses to Michael at the e-mail address below or in the comments. We might even have a -Shirt or other swag for you if we like your answer!

Return to: 2010 Feature Stories