When you look at the worst corporate security breaches, it's clear that network managers keep making the same mistakes over and over again, and that many of these mistakes are easy to avoid.
In 2008, Verizon Business analyzed 90 security breaches that represented 285 million compromised records. Most of these headline-grabbing incidents involved organized crime finding an unprotected opening into a network and using it to steal credit card data, Social Security numbers or other personally identifiable information.
Security breaches costs companies money. For instance, the security breach at Heartland Payment Systems has so far cost the company US$12.6 million including legal costs and fines from MasterCard and Visa.
What's astonishing is how often these security breaches were the result of network managers forgetting to take obvious steps to secure their systems, particularly non-critical servers.
Recently, Dimension Data assessed the networks of 152 clients and found 73 per cent of devices had vulnerabilities identified by Cisco.
"We're just not doing the basics," says Peter Tippett, vice president of innovation and technology at Verizon Business, who has been auditing security breaches for 18 years.
Tippett helped us put together a list of the simplest steps that a network manager can take to eliminate the majority of security breaches. Not to follow the items on this list would be, quite simply, stupid.
1. Not changing the default passwords on all network devices.
Tippett says it's "unbelievable" how often corporations have a server, switch, router or network appliance with the default password -- usually "password" or "admin" -- still enabled. Most CIOs think this problem could never happen to them, but Tippett sees it every day.
To avoid this problem, you need to run a vulnerability scanner against every device on your network with an IP address, not just the critical or Internet-facing systems, Tippett says. Then you need to change the default passwords that you find to something else. More than half of all the records that were compromised last year were the result of using a default password on a network device, according to the Verizon Business study.
2. Sharing a password across multiple network devices.