Are you suffering from security fatigue? Find yourself getting irritated when your IT folks bring up yet another security issue? You're not alone. Lately I've been witnessing a good deal of security fatigue in the executive suite, and I'm not surprised.

Truth is, security remains a never-ending process. The easier we make it to move data, the more vulnerable it is to loss or theft. In fact, our Page 1 story this issue on Data Loss Prevention is all about how easy it is for too many employees to make off with sensitive, proprietary information.

But you're sick of hearing about it all, right? Well, maybe it's not security you're tired of, but the endless stream of checks you've been writing to buy security products that leave you less than secure.

As readers of this blog know, I've long been an advocate of buying capability rather than product. Want to be sure Salesman Bob, who's just resigned to go to work for a competitor, doesn't walk away with all your customer data to help him in his new job? Don't just buy a product. Look for a way to get the capability to protect your data.

You can't escape spending on security, but you can make each dollar work to deliver the functionality you need.

Cyber-attacks tend to take the path of least resistance. So what are some of those paths? What vulnerabilities do hackers look for first? 

According to a survey conducted at the Def Con 18 hackers’ convention, poorly configured networks tops hackers’ lists. They like to exploit inadequate security audits and IT staffers who don’t know what to look for when they’re monitoring and testing networks.

Hackers also prefer threats that change too fast to be properly addressed. And they look for insiders who can be persuaded — or forced — to aid their attack.

More...

The thing to remember concerning what you hear about data breaches is that you’re hearing only about what gets reported — and plenty of data breaches never get reported.

Even so, the numbers we do have are plenty scary. A study on data breaches — 2010 Annual Study: U.S. Cost of a Data Breach, published last March — conducted for Symantec by the Ponemon Institute tells us that in 2010 (the most recent info we have), the average data breach cost $7.2 million, up from $6.6 million in 2009. 

More...

How secure are the data, applications, systems, and networks your business depends on? If you’re like too many of the executives I talk to, you may believe all is well — but only because you haven’t asked the right questions.

One executive told me recently, “We’re cool; we haven’t had to touch our firewalls in three years.”

Another ticked off all the security products his IT guys have installed — but, it turns out, without ever changing the manufacturers’ default passwords.

More...

As more and more of your employees use mobile devices, these machines may start out behind your firewall — but they don’t stay there. They move around, to other networks with different firewall rules. Or no firewall at all.  

When that mobile device returns to its trusted place behind your firewall, it may carry a cyber-infection that can attack your network from the inside.

The great firewall challenge lies in balancing the tradeoffs between degree of protection, usability, and cost. That balancing act starts with understanding what your firewall actually does.

More...

About a year ago, a routine enterprise security analysis turned up 75 gigabytes of stolen data. Thus began the discovery of the ‘Kneber botnet’, which had hijacked 74,000 computers at more than 2,500 organizations around the world.

Operating undetected for a year, the Kneber botnet’s 74,000 ‘zombies’ stole 68,000 corporate logins to e-mail accounts, online banking accounts, and a variety of public email and social networking sites. It also grabbed nearly 2,000 SSL certificate files used to secure the likes of online banking transactions. More...