Even as July 4 barbecues approach, there is no rest for weary IT departments. There are malicious insiders and dumb insiders. In some cases, employees do precisely what is required -- and still end up with a big problem.
After years of security scares and millions -- perhaps billions by now -- of lost records, people still are not paying attention. Last week, Sophos released findings of an exhaustive test. The firm spent 40 days checking visiting computers from corporate users. Sophos found that 81 percent of the 580 assessed machines were falling short in some key area. For instance, some hadn't applied available Microsoft patches, anti-virus software was inadequate or the firewall was down.
Semi-plausible reasons for some of the problems were given in the piece, but as a Sophos executive said, the bottom line was that in many cases "stuff happens."
In other words, people still are not paying attention.
BCS offers a somewhat more polite way to say that people are careless and even a bit dumb when it comes to their computing security. It says that "human nature" often takes over and leads them to do things with less caution than they should. The example provided is common: People generally are aware that opening an attachment without being sure of its provenance is foolhardy, but many continue to do so. The piece concludes with the observation that such activities will become even more dangerous as Web 2.0 gains a foothold.
Of course, tremendous security problems are not always the result of carelessness. This piece in The Oneonta Star describes how a man's PC got fouled up even though he did all the right things. The upstate New York paper describes how the PC -- which was correctly configured to automatically download and install updates -- was working through the bulky Windows XP Service Pack 3 when the Symantec anti-virus judged that too much was being downloaded and cut it off. Half-installed service packs are bad news, and the user, who had done what he was supposed to by authorizing the automatic update, had to have is operating system reinstalled.
That is the exception, and not the rule. In most cases, companies must protect themselves from two brands of internal threats: malevolent insiders and honest but careless employees. This is a long and interesting Nevada Business piece on internal threats. One of the themes is that there is a lot to keep track of, and sensible companies have strong policies. This helps in two ways -- it protects the network more fully and puts the company in a better legal position if something unfortunate happens down the road. The company also needs to make sure devices are properly protected. This can save the company both from both forms of internal threat.
Securing a machine and the network to which it is attached doesn't seem to be getting any easier. Honest employees have had years to get smarter and, as a group, haven't. Malicious folks tend not to grow more honest. And while security software clearly has improved during the past few years, IT still must keep a keen eye on how it is deployed.
Have a great holiday.