'Good Enough' Security: Network Security on a Shoestring Budget: Page 2
Threats and More Threats
Contrary to what you read in the trade press, the biggest threat to your computer security is not an evil empire of hackers ready to swoop down and steal all your corporate secrets; rather, it's your users. They are, after all, the ones who continue to insist on insanely easy passwords. No, your girlfriend's name is not a good password. They're also the ones that send virus-laden email attachments and can't figure out why everyone in the office is mad at them.
When planning a security strategy on a shoestring budget, at the very least you need to concentrate your efforts on educating your users as well as addressing the most well-known vulnerabilities. The major routes of attack include:
- Sloppy internal computer security - Over 60% of the average company's security incidents are internal. How many of your machines have the default or no screensaver password at all? I worked for an engineering company here in Boston. When I left, they carefully turned off my accounts. That was good policy, but since every person in the company has the identical easy password on their Internet-facing email server, how much security do they seriously have?
- External hackers - Yes, they are out there, and there are more of them every day, but the majority are kids who are just playing. There are some very serious hackers who are out for money, corporate espionage, or malicious destruction, but on a small budget you will not be able to stop a determined cracker. If you are targeted by a professional hacker, you will have much bigger problems to worry about. Still, at the very least, don't make it easy for them.
- Social engineering - The easiest way to break into a company computer network is not technical at all. More people share account information, leave company confidential information open on their desks, or share with strangers on the phone confidential computer information because the strangers say they are from "the helpdesk." Employee ignorance is the biggest security hole of them all.
If that doesn't get you thinking that you need some security policies and procedures, here are a few statistics from the FBI's "2002 Computer Crimes and Security Survey." 90% of the respondents reported computer security breaches in the past 12 months. 85% detected computer viruses, while 80% were willing to admit to direct financial loses. The most severe losses were theft of proprietary information and financial fraud. 74% reported their Internet connection had been a source attack, while 38% of those surveyed reported that there had been attacks on their corporate website.