| Have you ever thought about the best ways to | | | | store them on publicly accessible servers. |
| be negatively affected by a disaster, get | | | | |
| hacked, or otherwise part with data stored on | | | | 13) Run your business without disaster |
| your computers? Here are some of the best | | | | recovery and business continuity plans. After |
| ways to lose system security, in no | | | | all, you can think clearly and make critical |
| particular order: | | | | decisions under pressure, right? |
| | | | |
| 1) When an employee quits or is let go, leave | | | | 14) Don't monitor your systems. They'll be |
| his network log-ins and e-mail accounts | | | | fine running by themselves, and if anything |
| enabled. You never know when he might want to | | | | major happens with the integrity or |
| check in on things. | | | | availability of your information, you'll be |
| | | | notified automatically, won't you? |
| 2) Rely solely on technology. Firewalls, | | | | |
| encryption and antivirus software are all you | | | | 15) Don't back up your data, but if you must, |
| need to protect your information. | | | | don't test your backups. Also, leave your |
| | | | backup media on-site -- preferably sitting on |
| 3) Completely outsource your information | | | | top of an uninterruptible power supply. |
| security initiatives. There's no need for | | | | |
| anyone inside your organization to worry | | | | 16) Don't create any security policies that |
| about such matters. | | | | document how you're safeguarding your |
| | | | information to protect your organization and |
| 4) Leave your operating systems and software | | | | clients from information disasters and legal |
| applications with the default settings. | | | | liabilities. |
| System hardening is for the birds. | | | | |
| | | | 17) Apply the principle of greatest |
| 5) Don't train your users on your security | | | | privilege. Give all users the greatest amount |
| policies and what to look out for, such as | | | | of access to your information systems. |
| unsolicited e-mail attachments and common | | | | Everyone should have access to everything -- |
| hacker activities. Your users can't be | | | | it's only fair, right? |
| burdened with more training. | | | | |
| | | | 18) Don't subscribe to security bulletins and |
| 6) If you do happen to have a security | | | | mailing lists, and don't ever read |
| policy, never refer to it, enforce it, update | | | | information security trade magazines. |
| it or do what it says. | | | | |
| | | | 19) Don't, under any circumstances, get upper |
| 7) By all means, don't take an inventory of | | | | management involved in information security |
| your information systems or document your | | | | initiatives. They're business-focused and |
| network. | | | | shouldn't be bothered or even care about |
| | | | technology or the liabilities associated with |
| 8) Don't pay attention to or even bother to | | | | their information, right? |
| understand what you're trying to protect. | | | | |
| | | | 20) Use passwords that consist of your pet's |
| 9) Don't patch your software or update your | | | | name, your name, your mom's maiden name, or |
| virus signatures, and never, ever run | | | | your birthday. That way, you won't forget |
| vulnerability assessments to detect newly | | | | them. Better yet, just use "password" for |
| discovered software flaws and system | | | | your passwords. Also, don't forget to write |
| misconfigurations. It's just too | | | | them down and post them on your monitor or |
| time-consuming. | | | | keyboard. |
| | | | |
| 10) Respond to hacker attacks, viruses and | | | | And, last but not least: |
| other intrusions as they happen -- don't be | | | | |
| proactive in dealing with them. | | | | 21) Leave your servers and network equipment |
| | | | in a room to which everyone, including |
| 11) Ignore all known best practices and | | | | outsiders off the street, has access. |
| international information security standards | | | | |
| from the International Standards | | | | By following these practices you can be sure |
| Organization, Internet Engineering Task | | | | that your computers will be an easy target |
| Force, SANS Institute and your local | | | | for viruses, disgruntled employees, hackers, |
| information security consultant, to name a | | | | and others. You can show up to work each day |
| few. | | | | with the pride of knowing that there's an |
| | | | excellent chance that your business data will |
| 12) Leave your databases, especially those | | | | be missing when you arrive. It's just a |
| containing credit card or other confidential | | | | matter of time, and it's all easily achieved. |
| information, unencrypted. And be sure to | | | | |