Workers Cause More Problems Than Viruses 191
Technical Writing Geek writes "A new report finds that, for the first time, virus infections have slipped to the second spot on the list of computer security troublemakers. In first place— a company's own workers. 'The Computer Security Institute has just released the 2007 edition (PDF) of its long-running "Computer Crime and Security Survey," and it offers some dreary news for overworked computer security admins: average losses from attacks have surged this year. More surprising is the finding that the single biggest security threat faced by corporate networks doesn't come from virus writers any more; instead, it comes from company insiders.'"
Re:Ignoring the Human Factor is not Bliss (Score:5, Interesting)
Actually I bet the NSA is doing everything you name, except for the 256bit thing. I'm sure they're using at least 4096 bit encryption (assuming RS). Maybe biometrics instead of the fancy passwords.
But you can be sure that the rooms are faraday cages; even the CIA does that.
(The CIA also has double walls between which they pump white noise so that people can't read the vibrations of the glass with laser meters. The building is magnetically shielded so people can't "read" the monitors of people remotely.)
Re:Duh (Score:3, Interesting)
I think that the real problem is responsibility. If 'power users' want these types of privileges then they should have to sign off on a statement absolving the IT department of responsibility for the consequences (i.e. we may help you if this fails provided that we have some spare time and we are feeling nice, but don't count on it...otherwise we are just going to restore an image on your machine and be done with it when you ask us to 'just make it work'). The problem, as it stands now, with most users is that they don't care because its 'not their problem' when things go down.
Re:Ignoring the Human Factor is not Bliss (Score:3, Interesting)
Honestly, in my experience, I've seen far more cases of mass re-ghosting due to "routine" Windows Updates hosing some critical piece of enterprise software, than from anything like what you describe. In other words, IME for the average IT shop, far more downtime costs are associated with bad implementation practices than bad security practices. YMMV, but I do think the the GP has a point in that for many shops that the impact of actual security issues do not justify the observed costs of enhanced security beyond a certain level.
That is not to say that security is not a good investment even if your business is not particularly security-sensitive, but it is more akin to insuring oneself against rare and catastrophic events...that is, as long as the catastrophe never occurs, it seems like money wasted, but in the event that catastrophe does strike, it is a very good investment indeed.
This is news? (Score:1, Interesting)
Your biggest security threats have always come from the inside. That's why a total-network solution like Active Directory using group policies is so important, rather than just having a bunch of computers thrown onto a network, with no control over anything.
It's also smartest to maintain two internal networks: one only for domain computers, and one for anything else.
Yes, but... (Score:3, Interesting)
Article is worthless (Score:1, Interesting)
So, if 59% companies have a single employee that installs firefox without permission, and 52% of companies are infected with viruses/spyware that are making copies of their credit card databases, how the hell are viruses/spyware not the number 1 threat still?