IT security expert Stephen Mencik tells us that most security problems are the result of carelessness and human error. Here are ten common security mistakes.
1. Failing to change the administrator password once the system is up and running. Many times IT professionals are so happy to get the system running properly that, months later, they discover the password is still “admin.”
2. Failing to assign different access levels to users. Some small and even midsized companies give every employee administrative access to the company database, opening critical information to everyone in the company. Access controls are key.
3. Failing to properly back up system information. Frequency is the name of the game. The number of backups depends on how critical the data is and how often it changes. In most companies, the information should be backed up every day.
4. Running too many types of applications on the same server. There’s no reason why a company should run its database on its mail or Web server. Attacks geared at a mail server won’t have access to the database if it’s on a different server.
5. Failing to install security patches provided by the software vendor. Companies should make sure they are on software vendors’ mailing lists and be up to date on any security advisories that are released. Patches should be tested with an offline replica of the system. Offline testing requires more hardware than some businesses own, but it’s crucial to good security.
6. Failing to create a company security policy and failing to educate employees. Companies serious about securing their database information should provide training to their employees. Some employees have their names and passwords written on Post-it notes stuck to their computers. Forcing employees to change their password every 60 to 90 days is a simple way to counter that sort of sloppiness.
7. Forgetting to run an audit. Companies often fail to audit their servers, or they don’t know what to look for when they do conduct audits. A person trained to find anomalies, such as a certain user name with a lot of password failures, can often catch who is trying to break into the system.
8. Inadequate contingency planning. Many businesses fail to place backup tapes in a secure area. Fire or water damage could cause a company to loose both its primary and backup information if the backup tape isn’t stored properly. Buy a safe.
9. Letting the office sprinkler system soak the server. Most offices have a sprinkler system to reduce the spread of fire — which is a good thing. These systems often damage computer equipment and wipe out critical information — which is a bad thing. When installing a system for the first time, consider the physical environment and prepare a special computer room with the proper fire suppression equipment.
10. Neglecting the antivirus software. Getting automatic updates will reduce the number of viruses that attack a computer system. Many companies are running software that is dated. Run antivirus software on the e-mail server to check messages that come in before they hit company computers. Use desktop antivirus software only as a backup.