Security rule No. 1: Assume you’re hacked

Security rule number one

By Roger Grimes, Security Adviser for InfoWorld Security Central

A recent Forbes magazine article advised readers to assume that their companies have been hacked. Some readers have asked me to weigh in, and here’s my assessment: The article is slightly hyperbolic, but all in all, it’s a pretty accurate assessment. Most companies are actively hacked, and their sensitive data is being stolen and leaked to outsiders.

Many readers might find such statements inaccurate and unsupported, and they may wonder where is the documented evidence to back up these gross claims. True, there is no survey data to prove the conclusion. Surveys and interviews can only measure known hacking incidents; it’s hard to measure the known unknowns. But in this case, there is strong anecdotal evidence.

Every company I’ve dealt with has had dozens of big security vulnerabilities. The IT employees that I interview admit that their company’s defenses are unevenly applied and that they know of many more major security holes that I haven’t found in my limited review. Rarely are these security issues new; most are several years old and well known by IT management.

There’s a chance that your company is not hacked, but in today’s uber-active crimeware environment, it’s unlikely. If you aren’t hacked, you’re either extremely good (with full management support and resources) or lucky.

[read the full article]

Image courtesy flickr user purpleslog via CC 2.0

No comments yet.

Leave a Reply

You must be logged in to post a comment.