Here's a shocking fact I've learned from 25-plus years of security consulting: Most security projects fail to improve the safety of the organizations launching them. Security will be compromised as frequently after the project as before.
To put it bluntly, most computer security projects are a waste of time and money.
[ Here's a devious new tactic put in play by cyber criminals: TDoS attacks that tie up emergency phone lines | Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]
One reason for this dysfunction is that organizations launch way too many projects with woefully unrealistic expectations about their impact and the level of effort required to do them right. The fact is if all companies did a better job at just two defenses, their companies would be far better protected than if they were to complete the dozen-odd projects they're attempting to pull off.
In many cases, the two defenses I recommend are inexpensive or even free. They don't require multi-million-dollar projects dragged out for more than a year. They don't demand cutting-edge solutions. They simply require that organizations do a better job at two things they've been told to do for decades. And guess what? They work.
Stop users from executing malicious programs
Most computers are compromised because users launch malicious programs. It's that simple. That's why application control is the single best thing you can do to improve computer security in your company.
The classic example is the fake virus alert, which prompts the user to install antivirus software that's actually malware. But of course this ploy extends to other "apps" purporting some benefit, from games to Windows utilities that are actually malware or spyware. The classic email attachment ruse still finds suckers who blithely double-click on malware pretending to be everything from an invoice to a video of the Zumba lady.
Serious, mandatory training for end-users helps a lot, but you can never prevent all users from launching this stuff all the time. The most secure way to stop users from executing malicious programs is to deploy an application control or whitelisting program. I've talked a lot about the benefits of application control programs and even did a comparative review a few years ago. I've worked with most of them, and they've all improved over time.
Yet in many cases senior management will not back strict application control. I understand that. I know the challenges -- particularly with the abundance of new downloadable apps, particularly mobile ones, which carry real user productivity benefits. But understand that not implementing strict application control means you will not be able to reduce malicious risk in your environment beyond a certain point.
A less stringent approach is to enable users to download and install programs only from trusted application stores that ensure the security of their applications. Programs from trusted stores are sometimes found to be vulnerable to hacking or to have privacy issues. By and large, those are the exceptions; when caught, they are immediately removed and eradicated. Plus, most apps downloaded from application stores are automatically updated when security issues are discovered and patched. That's great for everyone.