No matter how hard you work, no matter how many security programs you install, the biggest threat doesn't come from outside the firewall. And it isn't from unpatched software and it doesn't come from buffer overflows, etc. Your own users are your biggest, albeit unwitting, enemy.
"If all software had 0 exploits, it wouldn't drastically change the amount of successful hacking," says security Roger Grimes, a security pro and columnist. It's because the bad guys have elevated social engineering, the hack that takes advantage of a user's greed, lust or simply naivety, to open the gates to malware.
Grimes may be overstating the case a bit. Software exploits are serious and ever present.
But the modern hacker who wants to gain access to data that can be sold, knows that users can be tricked onto sites that are seeded with malware, says David Perry, global director of education for Trend Micro, whose global array of sensors (and information exchanges with other security vendors and customers) now detects an astonishing 100,000 samples of new malware a day.
And don't think that all sites infected with malware are XXX rated. By the beginning of 2009, the majority of poisoned sites were mainstream. In a typical attack, users of FoxNews.com were told they needed to install a new codec to watch clips on the site. Once installed, the "codec" was a malicious piece of code undetected by most defences, Grimes recounts.
What you can do to secure your network
Perry suggests some distinctly unpleasant remedies for the small business.
The most draconian applies to computers that hold customer data, particularly credit card information. "If possible, take them off the Web," he says. Files don't have to be e-mailed internally. Assuming you've got a network, simply drag files from one directory to another without a browser.
Without being patronising, employees need to be treated with some of the same concerns you might have for your children. You know the drill; tell them going to porn and gambling sites and so on will get them in serious trouble. Since they are adults, you might set up a PC in the break room that has Web access but is not on your network. They may waste time on it, but it won't endanger your firm's security.
You've got to be in control of your network. Trend Micro's Internet Security Package, for example, lets you set security policies for every computer on your network with a simple stratagem: Install the product on PCs that need to be protected and when the program asks for a password, give each PC the same one. (To be clear, we don't mean a network password, but a password to the security program.)
Sign up for Computerworld eNewsletters.