4. Failing to explain the obvious
Admins assume only an idiot would click on a random file attachment, follow a link to a malware-infested site, or react to a fake virus alert by installing fake antivirus software that's actually malware. But the fact is phishing emails have become very, very good, and if you've never seen what happens when your real antimalware software detects a Trojan, how do you know what's fake and what isn't? Users need structured security training, along with prompt warnings when phishing exploits circulate. Training needn't take long but must be ongoing.
5. Assuming invulnerability
Firewalls, intrusion detection systems, security event monitoring, network monitoring, two-factor authentication, identity management ... your company has it all. Nobody is getting in! Yet the sad fact is if you have something to steal, you've already been hacked. Wrapping one's head around that idea creates the proper mind-set -- to encrypt critical information at rest, to avoid enabling permanent admin privileges, and to implement other measures that minimize damage after bad guys cross the perimeter.
6. Succumbing to fatalism
I often think that many enterprises know how horrific the problem is. But what can they do? The professionals who launch APTs (advanced persistent threats) are almost unstoppable. The financial industry sees the many billions lost to fraud and cyber theft each year as part of the cost of doing businesses. We're all going through the motions. The bad guys have won.
There's an element of truth to this last point, since exploits are always one step ahead of defenses. Yes, attacks are inevitable -- but that's no excuse for laxity when it comes to best practices, which vastly reduce the attack surface area.
Procedural change of any variety messes with people. But letting sloppy security practices persist will almost certainly make you a big, fat target. Which will it be? Bureaucratic inertia tinged by persistent fear? Or the discomfort of adding overhead in order to slash risk dramatically? You may never see a commensurate reward for the latter, but personally, I prefer being able to sleep at night.
Sign up for CIO Asia eNewsletters.