Many firms are still having difficulties following even the most basic security protocols, by the United Kingdom's Information Commissioner's Office (ICO). The ICO reports many companies are completely open to security breaches and are "hemorrhaging data" because of structured query language (SQL) injection flaws, along with other vulnerabilities, . Although this report is based on companies in the U.K., the lessons are universal.
The ICO identified eight focal points where companies lack security protection. These include matters as simple as installing security software and keeping it updated, along with updating all other software, such as java and Internet browsers.
Charles Sweeney, CEO of Web-filtering firm Bloxx, explained to Infosecurity that solving such problems is not as easy as it might seem. For example, networks can have multiple programs and systems, and some of them may be regularly updated while others may not be.
Another issue he addresses is poor password protection. Some passwords, such as those used in multiple devices of varying security levels by one person, are easy to break.
"It's the reason that old Common Business-Orientated Language (COBOL) applications from 20 years ago can still be exploited by hackers today as a way of gaining access to the corporate infrastructure and why lost laptops 'secured' with weak passwords still strike the fear of God into any IT director when they get left on trains," Sweeney said.
The basic message is to keep things simplified and reduce loopholes any points where a company is at risk. This means retiring legacy software and getting rid of devices that aren't used.
Getting the C-suite Involved
One suggestion for how to get security up and running so that the network can block security breaches is to get the upper-level executives more deeply involved with the IT department, .
A report by market research firm Wakefield Research on behalf of Avanade, a business technology company, found that there is "real tension" between IT and other budgetary matters by a company, Tech Republic reported.
In other words, upper-management may not realize how much it takes to make a network secure, or they may not understand the price of a security breach or not anticipate their network being hacked at all. All of this comes from ignorance on the part of managers, but part of the fault lies with security staff not taking the time to explain the real dangers of an under-budgeted IT department.
Mark McCurley is information security advisor at IDT911 Consulting.