Another question I usually ask customers is whether they expire passwords in a timely manner. They almost always say they do, and when I check the global system policy it says the same. But then I check individual accounts and find dozens to hundreds of exceptions. Usually the more powerful the account, the more likely it's never been changed.
Another one of my favorite questions: What is the No. 1 way your company is exploited? Many will respond correctly, "Socially engineered Trojans, like fake antivirus programs." I then ask if they include a screen image of their legitimate antivirus program in their end-user education materials. They always, always say no. But what is worse is that no company has ever followed through on my suggestion and showed their end-users what their antivirus program looks like.
Breaking the inaction plan
Most security experts I know deliver dozens and dozens of security findings to each client they are hired to audit. It's not unusual for an audit report to be more than 100 pages long. And yet after reading the report and signing off on the report's findings, most clients do nothing. You can point out the most critical fixes and suggest which ones the company should implement first, then come back a year later and discover that not one fix has been implemented. This isn't just my experience. It's a common lament I've heard from all of my peers.
I can't blame the client's computer security team because it's nearly every team I meet. Of course I see good teams and bad teams, but almost none of them make any progress. It must say something about companies in general and how hard it is to change the status quo. Today's big priorities are overwhelmed by tomorrow's bigger priorities. When you have a hundred things to fix ASAP, they get lost in the bustle of today's critical emergencies and tomorrow's new management directives.
More and more I think the secret to improving security is to concentrate on a single item to fix in a given period. I understand that you'll always have dozens and dozens of fixes to make. But focus on finding the biggest security problems and resolve to repair one of them before even thinking about the second. You can't effectively juggle multiple priorities, no matter how much management wants you to.
You want to be my hero? Fix one item. You'll be ahead of most of your peers.
This story, "One simple step to better network security," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes's Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.