And if rogue software troubles your sleep, imagine a bigger nightmare: rogue networks. People often think nothing of bringing in insecure devices and logging on to the corporate LAN, says Evans. He cites one instance at a major financial institution in New York where an employee brought in a Wi-Fi enabled laptop. He then began broadcasting an unencrypted, ad hoc wireless network with the name "Apartment" across parts of lower Manhattan, inadvertently connecting to another network and opening an unsecured bridge into the financial institution.
"You cannot predict where wireless is going to be," he says, which is why ISS recommends performing periodic vulnerability scans of clients' offices for unauthorized hardware, including Wi-Fi devices.
He says enterprises may move to a security-on-demand model, where the network automatically scans your device and, if it determines that it's insecure, takes appropriate corrective actions, such as downloading an agent to secure the device for however long you need to log on.
"At a high level you have policy and technology measures that govern what people can and can't do with their machines," says CTG's Moyle. "But in any organization of any size, there will always be nooks and crannies where it's hard to find out what's really going on."
The Compliance Secret Hiding in the Closet
When hackers attack your VoIP system, when employees take sensitive data home on thumb drives, when configuration errors or rogue software takes down your network, it's not just an IT disaster, it's increasingly a compliance problem. And when organizations ignore this reality, it can easily put them in Dutch with state and federal laws.
"Under [California law] SB 1386, people know if a laptop with personally identifiable information on it gets stolen they must disclose that," Moyle says. "But they don't understand that if you put the same data on a thumb drive and bring it home with you, and your home machine has been compromised by spyware, you're still required to disclose that the data has been compromised. They don't know they're out of compliance. It's a huge problem."
But keeping up with the reporting requirements of laws such as SB 1386, HIPAA, Sarbanes Oxley, the Gramm-Leach-Bliley Act, and all the rest too often becomes a primary responsibility of IT pros who already have full-time jobs. Combine that with poorly understood requirements and poorly defined IT controls, and you have a recipe for regulatory disaster.
Little wonder then that IT firms are struggling more with their SOX audits this year, says Wynn White, Oracle's senior director of security and identity management.
"One dirty little secret of compliance is that the bar keeps getting raised, and what met the requirements a year ago isn't working this year," White notes. "I've spoken with a number of customers who failed this year's audits even though they passed the year before."
Ed Hill, managing director of IT audits at Protiviti, a risk management consultancy, says the most likely reason is IT orgs didn't correct problems noted on last year's audits.
"If you have a deficiency one year that's not deemed 'significant,' and you don't do anything to alleviate it, the next year it almost always becomes significant because it's a repeat finding," Hill notes.
White says there's no simple solution, but he has hope. "It's been ugly for the last couple of years, but our customers understand they need to take a number of steps to become compliant, and that no single solution will do it for them."
In organizations that lack a formal compliance team, dealing with compliance issues saps IT resources that could be used to build the business, says CTG's Moyle. "They still need to build that customer tracking application they promised, but now they have fewer resources to do it."
Read more about networking in InfoWorld's Networking Channel.