Batye suggests a more “proactive approach” to security, such as internal and external testing for security holes; a system for downloading, installing, and configuring updates and patches; and regular security hardware upgrades. Does your budget value security? It will show in your vulnerabilities…

Chippy088 makes a familiar point, which ErroneousGiant seconds: The weakest link is the user.

Because they think you have the system well protected, they don’t care where they browse, or what they download. They are, in the main, non technical, and think it’s covered, or have not been made aware of the dangers. The attitude being, I haven’t had a problem at home, so what harm can it do. I have seen many small companies who regard the user as a minor consideration when making security decisions.

He also warns against social networks, which often create a back door entry point into companies. His suggestion? “Aggressive methods.” Company policy should reflect possible vulnerabilities, and internal methods such as penetration testing could be done without too high a cost.

While ErroneousGiant agreed with Chippy on some things, he was willing to take responsibility, as an administrator, for either “preventing users from putting the company at more than accepted risks or to educate the users about the risk. The IT team are just as responsible for any breach by either not verify[ing] security properly, not having the correct security in place, or not shouting loudly enough if it’s not in place.”

Newer member Ekardris presents an interesting argument and plan of action:

We all know that users inside and outside the organization are going to attempt to breach security. (Whether they meant to or not) Therefore we have to plan that it will happen, and not be surprised afterwards that it did happen. Our job is to devise systems that will keep 98% of attempts made by amateurs and the ignorant from being effective.

Then plan contingencies for the 2% who we can’t stop from breaking through our security.

He says that most users assume they’ll be kept out of places they shouldn’t be, and so when they discover access to off-limits places, the blame for what happens next falls on IT. It doesn’t take a sophisticated hacker for the most part; there are gaping holes in enterprise security in most places. Some of the most obvious mistakes Ekardris finds:

• Administrative accounts being used by multiple people
• Common knowledge within the organization or IT department of the Admin password
• Tracking turned off on corporate data files
• Service accounts that are compromised or are the Administrator
• No Security Policy documented
• No documentation on security groups, policies and/or explicit rites
• Inconsistent backups
• Poor understanding of router and firewall ports
• Only one security wall between the corporate data and the internet

In answer to these d’oh! moments, he included some tips for companies avoiding Sitting Duck syndrome:

• Continuous auditing with the IT groups. Focusing specifically on corporate requirements, industry best practices, corporate policies and procedures.
• Reviewing contingency plans in case of failure and security breaches.
• Assigning a “security” role that focuses specifically on the organization’s security. This role would be responsible for reviewing corporate security policy, continually gathering security requirements from departmental stake holders, managing security audits within the organization, and maintaining a discussion around these issues within the entire business organization

For more from Ekardris and some of the red flags he’s come across during audits, check out his full response here.

How is your company handling the heightened awareness of security these days? Have you seen some of these vulnerabilities or implementations in your own industry? Let us know in the comments section or email me at Melanie@ITKnowledgeExchange.com.

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

After less than a minute of sitting in the session, Brandon Savage of Box.net was in the middle of addressing the point of “IT as a bottleneck.” IT causes reluctance to move despite the opportunity for improvement. A woman in the audience who works for a pharmaceutical company on the IT side, asked about building solutions rather than buying a massive, large-scale solution. Her company, she said, prefers to implement bit by bit, testing and measuring (and beating dead horses) along the way. The panel’s treatment of IT departments was suddenly proven correct.

But not all IT departments want to throw a wrench in the productivity wheel. Another man in the audience questioned what to do when faced with end users who couldn’t care less about major systems like SharePoint. “When they’re outside the firewall, they just want the simplest option,” he said. Google Docs was named as the main rogue weapon of choice for those in no-firewall’s-land, but Savage dropped DropBox’s name as another form of employees going rogue. Savage took his opportunity to explain how Box.net is a better option than DropBox, with its ability to track files once they’re out in the wild, whether it’s who’s looking at what, how many times, and from what IP address.

Is IT fighting a losing battle?

Capabilities such as Box.net’s tracking features provide some hope that IT isn’t on its own. The search for a simple, user- and IT-friendly solution isn’t completely in vain, as long as IT departments keep some tips in mind.

• Don’t just say “no.” Just because you know all of the reasons that sending the clients’ account information via Google Docs doesn’t mean that Bill from sales will know. One of the audience’s voiced complaints about IT departments is that they’re not helpful enough. Explaining why the extra steps to access SharePoint instead can save you headaches now and later.

• Be proactive. Savage says that the majority of sales leads at Box.net are incoming from IT departments. While it may be a thorn in your foot that consumer applications are shiny, attracting every Joe Schmo at your company, they are necessary for pushing enterprise vendors. Savage pointed out that as long as there are consumer application start-ups with fewer obstacles for their end-users, they will outpace enterprise solutions. “As consumer applications become more accessible and used, it opens the end users’ eyes to the ease that’s possible, but also opens IT’s eyes to the vulnerabilities.”

What are your concerns when it comes to outside perceptions of IT? How does your company keep communications open amongst departments?

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

II. We must apply active defenses. It’s no longer enough to apply the automatic patches and call it a day: Just like the DoD, IT departments need to proactively root out threats before they bring down the network and, from an operational standpoint, always assume security is compromised and work to minimize vulnerability.

III. Critical infrastructure on which the military relies must also be secure. Losing Internet connectivity, power or even a functioning financial system would cripple the United States’ military readiness, and IT departments are the same way: Are your VAR’s on steady ground? Will your vendor be around in 2 years, and just as importantly, will their technology do what you need it to do? IT is an ecosystem that extends well beyond your farther firewall.

IV. We are building collective defenses with our allies. Too much is at stake to lock down your network and your knowledge, even if the business side would let you. Today’s IT departments need to support gracefully adding temporary workers on loan from other businesses, giving them simple access to what they need while securely cordoning off what they don’t, and then closing those rights when the work is done. There’s a lot of work to be done here, as 10% of IT professionals report they can still access sensitive administrative rights … at their previous jobs.

V. Drawing on outside resources. The military has taken a more proactive approach, alerting private sector companies of security risks it discovers while also partnering to look for solutions to tomorrow’s problems. We have a simple way to build your own public-private partnerships: The ITKnowledgeExchange forums and community, but there are numerous other great opportunities from local meetups (which often have free chow!) to conferences and IRC chats. Connecting with your peers can not only answer your current problem, but help ensure you avoid future pitfalls.

And while it wasn’t a solid pillar, Lynn did close by highlighting the importance of making technology careers “cool” to kids, stating that the United States desperately needed more technical individuals to help prepare for the future. Mentoring and encouraging others in the field is not only the right thing to do, but it helps make the workplace a more team-minded, positive environment.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.