Comments on: Fiddling while Rome burned

Attorney Eric J. Sinrod says corporate America needs a wake up call--in the worst way--about data security.

[truth_teller]

where's the report?

citing a report that your readers can't access is poor journalism.....either get permission for others to see it, or don't cite it.

--Journalism 101

[nanarita]

you HAVE enough resources to at least get started

Companies need to start looking beyond the usual enterprise solutions, to find security applications that fit their needs AND their budgets. According to the 2006 CSI/FBI Computer Crime and Security Survey, unuathorized access is the second-greates source of financial loss, and 32% of loss comes from insider threats. Email is tops the list in theft and misuse of IP, something even (especially) the little guy is hit with. You can use a simple solution like Taceo that integrates with Outlook to protect email and documents from unintended access.

Average loss of email theft - $1,849,810
Theft of IP - $$6,034,000
Unauthorized access to info -$10,617,000
Cost of Taceo to protect email integrity - $59

Read how one small company used Taceo successfully:
http://www.essentialsecurity.com/casestudies/jacobsen.htm

[slim-1]

Or Use Linux $0

Problem solve. No need to spend a pile of money.

If this solution doesn't work than why are large companies like Autozone, Bank of America and Earnie Ball Guitar Strings and many other doing it?

[aabcdefghij987654321]

The real reason corporate security policies aren't enforced

Quite simply the policies are put in place by people who have no connection to the real world where work is actually accomplished. Most corporate security policies have little or no flexability and treat everthing exactly like an end-user so if they were completely enforced the company would cease to function!

Requiring users to change their passwords too frequently or requiring excessive complexity means that more and more users actually write their password down so they can remember it. Longer passwords are more secure but when multiple legacy systems are combined and all require their own logins users flock to a common password for all systems (remembering one new password each xx days instead of four different passwords is simpler) and then the password is limited by the system with the least flexability.

For example using the same login id between Windows networking and an IBM mainframe means that the Windows network password is limited to eight characters just like the mainframe password (or you end up remembering multiple passwords and users just don't go for that) despite the fact that Windows allows truly long passwords. Add a minimum password size of eight characters (a common value) and you end up with every user having an eight character password which ironically reduces the possible passwords and makes guessing passwords simpler.