| Have you ever thought about the best ways to be | | | | 13) Run your business without disaster recovery and |
| negatively affected by a disaster, get hacked, or | | | | business continuity plans. After all, you can think clearly |
| otherwise part with data stored on your computers? | | | | and make critical decisions under pressure, right? |
| Here are some of the best ways to lose system | | | | 14) Don't monitor your systems. They'll be fine running |
| security, in no particular order: | | | | by themselves, and if anything major happens with the |
| 1) When an employee quits or is let go, leave his | | | | integrity or availability of your information, you'll be |
| network log-ins and e-mail accounts enabled. You | | | | notified automatically, won't you? |
| never know when he might want to check in on things. | | | | 15) Don't back up your data, but if you must, don't test |
| 2) Rely solely on technology. Firewalls, encryption and | | | | your backups. Also, leave your backup media on-site -- |
| antivirus software are all you need to protect your | | | | preferably sitting on top of an uninterruptible power |
| information. | | | | supply. |
| 3) Completely outsource your information security | | | | 16) Don't create any security policies that document |
| initiatives. There's no need for anyone inside your | | | | how you're safeguarding your information to protect |
| organization to worry about such matters. | | | | your organization and clients from information disasters |
| 4) Leave your operating systems and software | | | | and legal liabilities. |
| applications with the default settings. System hardening | | | | 17) Apply the principle of greatest privilege. Give all |
| is for the birds. | | | | users the greatest amount of access to your |
| 5) Don't train your users on your security policies and | | | | information systems. Everyone should have access to |
| what to look out for, such as unsolicited e-mail | | | | everything -- it's only fair, right? |
| attachments and common hacker activities. Your | | | | 18) Don't subscribe to security bulletins and mailing lists, |
| users can't be burdened with more training. | | | | and don't ever read information security trade |
| 6) If you do happen to have a security policy, never | | | | magazines. |
| refer to it, enforce it, update it or do what it says. | | | | 19) Don't, under any circumstances, get upper |
| 7) By all means, don't take an inventory of your | | | | management involved in information security initiatives. |
| information systems or document your network. | | | | They're business-focused and shouldn't be bothered or |
| 8) Don't pay attention to or even bother to understand | | | | even care about technology or the liabilities associated |
| what you're trying to protect. | | | | with their information, right? |
| 9) Don't patch your software or update your virus | | | | 20) Use passwords that consist of your pet's name, |
| signatures, and never, ever run vulnerability | | | | your name, your mom's maiden name, or your birthday. |
| assessments to detect newly discovered software | | | | That way, you won't forget them. Better yet, just use |
| flaws and system misconfigurations. It's just too | | | | "password" for your passwords. Also, don't forget to |
| time-consuming. | | | | write them down and post them on your monitor or |
| 10) Respond to hacker attacks, viruses and other | | | | keyboard. |
| intrusions as they happen -- don't be proactive in | | | | And, last but not least: |
| dealing with them. | | | | 21) Leave your servers and network equipment in a |
| 11) Ignore all known best practices and international | | | | room to which everyone, including outsiders off the |
| information security standards from the International | | | | street, has access. |
| Standards Organization, Internet Engineering Task | | | | By following these practices you can be sure that your |
| Force, SANS Institute and your local information | | | | computers will be an easy target for viruses, |
| security consultant, to name a few. | | | | disgruntled employees, hackers, and others. You can |
| 12) Leave your databases, especially those containing | | | | show up to work each day with the pride of knowing |
| credit card or other confidential information, | | | | that there's an excellent chance that your business |
| unencrypted. And be sure to store them on publicly | | | | data will be missing when you arrive. It's just a matter |
| accessible servers. | | | | of time, and it's all easily achieved. |