The true picture of the hacking problem has allegedly been revealed this week by another study. It claims that as many as 90% of corporate networks are, essentially, gaping vulnerabilities as far as companies are concerned. The report does, however, come with its own in-built caveat - it's from a security firm.
The study this time has come from little known PanSec, a Birmingham, UK, based firm that specialises in Managed Vulnerability Assesment. Those are solutions that aim to prevent hackers getting into the network, so now you understand the impetus for the study. It's easy to be cynical about these things of course, but it does still point to some interesting findings.
The whole basis of the report is a study that PanSec undertook in July of this year where it analysed more than 4,000 IP addresses from companies that volunteered for the study. We're not clear how many companies that included but PanSec claims it found that 92% of these networks were seriously vulnerable to a hacker assault.
Interestingly, and this is the stuff that you should take away with you incidentally, the majority of the problems it found were based around mismanagement. The majority of the vulnerabilities the firm discovered were caused by plain and simple misconfigurations - rather than a complete lack of security awareness.
That's a interesting twist on the usual findings of studies, that typically point out that a firm needs to spend millions on security hardware. In this case, the study suggests that companies need to spend money on monitoring services to help it identify problem areas. But there's an easier solution, or at least a work around that will minimise the need for this. Good management.
It's certainly true that once a network has, shall we say, evolved - by which we mean fallen into disarray - monitoring tools are indeed a good bet to identify vulnerabilities. No argument there. However, this should be a 'once every few years' kind of exercise if security is taken seriously. Companies need to give their network manager the time and resource needed to carefully and adequately document security procedures, policies and processes - and then implement them.
It sounds easy, admittedly, and given the right encouragement, it can be. But this is still where companies fail in their efforts. They need to get the policies and procedures right, risk analysis in place, checks, double checks and sign-off procedures. Once that's nailed the rest pretty much falls into place.
Copyright 2002 IT-Director.com provides IT decision makers with free daily e-mails containing news analysis, member-only discussion forums, free research, technology spotlights and free on-line consultancy. To register for a free email subscription, click here.