2. Ignoring new vulnerabilities
Second on my list of the worst security mistakes is failing to take appropriate action when new vulnerabilities surface.
Most security managers receive automatic notification of new patches and/or monitor at least one security Web site. A significant number even subscribe to security-related newsletters which attempt to filter out the noise and focus on serious problems.
But there is simply so much information available that many people don't even bother to read the alerts they subscribe to. A far smaller number actually adjust policy or perform updates to fix the problems they do learn about.
3. Relying too much on technology
Another big mistake is relying excessively on technological fixes and paying too little attention to actually using them.
For example, if you tell upper management that you've installed the top antivirus software or the latest star in the firewall world, they'll think you've done your job. But unless you've carefully configured that firewall and maintained the antivirus software, you really haven't done much of anything.
Setting up a firewall properly in some environments can be as much art as science. It isn't a set-it-and-forget-it task any more than installing antivirus software ends all your malware worries. Instead, you have to keep tweaking the firewall to meet new needs, sometimes even blocking some ports for a few weeks after a new port scanning epidemic surfaces.
And that goes back to the second biggest mistake — you have to pay attention to new security updates and vulnerabilities as they emerge. For example, to keep track of the top 10 ports that would-be attackers are targeting, bookmark this SANS Web page. For antivirus programs, you not only need to update signature files; you must also monitor the need for patches to fix newly disclosed vulnerabilities in the antivirus software itself.
Anti-spyware software is much less complex than antivirus programs, so patches are seldom necessary. However, they require as much attention to downloading the latest database information as do antivirus programs.
Finally, don't forget that all these security utilities become worthless if you ignore the reports they generate.
4. Failing to thoroughly investigate job candidates
The fourth biggest mistake is failing to properly screen job candidates for criminal records or even poor financial decisions, particularly for candidates outside of the IT department.
Many readers questioned this practice despite the fact that companies have widely employed it for two simple reasons. First of all, if people are careless with their own finances, how well will they protect yours? Second, if someone's under financial pressure, he or she is more subject to outside pressures to indulge in activities that compromise security.
Whether it's due to poor planning, poor impulse control, or simple carelessness, a recent bankruptcy in someone's financial history is always a big red flag unless there's a very good explanation. It may be sad, it may be unfortunate, but it's a common practice because it works.
