I know this has been said before but it needs to be said again and again until we ALL finally get it. Technology isn't going to solve the problem by itself because there are too many flaws in either how it is coded, deployed or maintained. Then there is the whole thing of people who come up with ways to get around what has been put in place. Once one person figures it out they tell two friends and they tell two friends and so on and so on.......
Amrit talks about how securing just the desktop alone can cost a small fortune for a company. Douglas Schweitzer talks about how we seem to be in a losing battle. NetworkWorld has an article from ComputerWorld on how Execs fear the security risks of remote workers but still have to deal with them.
I mention all of these to highlight some of the problems and issues that we face everyday whether you are a company dealing with securing workers or a worker who has to be secured. The thing is that we are constantly under attack and the attacks are getting better and better and technology is having a hard time keeping up. Even when it is up to date there are still the issues of misconfigurations, wrong deployment scenarios, wrong technology for the environment or threat, work arounds, etc, etc, etc... It's also been said before that the best technology can't stop stupidity, apathy, or someone who is determined to get around it (in most cases). Until everyone, including IT and security pros get their act together we will continue to have big problems.
What do I mean by this? Let's start with the IT/Security Pros. As long as we have people who don't know what they are doing trying to do things that they aren't qualified to do we will have issues. As long as we have people who are apathetic and don't bother to ensure that they have the proper controls in place and that they are properly deployed, configured and maintained we will have issues. As long as we have those in this field who feel that they are above the law (or policy) and continue to skirt the rules we will have issues. IT and Security has to take the lead (assuming management buy in) in doing things in the best way possible.
Then the users have got to get their act together. They have got to quit being so click happy and so focused on the next "cool site" or funny flash animation. They have got to quit being so enamored with the Internet, email and IM that they lose all common sense. I'd like to say that there is no reason for them not to be aware of the threats but it seems that I can't. Actually I can say it. There is no reason. There has been enough media coverage to let everyone in on the secret. The problem is that they think that it will not happen to them and so they ignore it. That doesn't mean that we don't need to continue to educate and get the word out but people just can't use the ignorance excuse anymore. Although I am surprised at the questions and looks I get from people when I talk about some of the attack vectors and threats that are out there. Even people in IT sometimes look at me with that deer in the headlights look.
Technology is a very important part of securing our networks and systems but it has to be paired with common sense and good security practices. If we could get people to do their part then we wouldn't need to spend hundreds of thousands of dollars per year to secure the company............ huh?, what?, just five more minutes mom, please. I promise I'll get up in 5 minutes......zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz