December 08, 2011, 3:36 PM — No one pays the right amount of attention to security. After more time covering IT than most people have worked in it, the only rule I've ever found to be accurate about corporate security is that no one has a good handle on either digital or physical security.
Most companies are so clueless about holes in their airtight defenses that they'll brag about their anti-spam or intrusion protection while strangers wander in from the sidewalk to use the CISO's private rest room while the CFO drags an oversized bank bag filled with "laundry" toward the nearest exit on the way to a "vacation" in the Cayman Islands.
Companies that do pay some attention to security, on the other hand, end up so obsessive about the smallest risk the whole company behaves as if they manufactured guilty consciences and just heard Jason Bourne was spotted outside.
There are some things that are really hard to miss, though.
Build an email network with no spam filters and your employees will spend all their time deleting spam and trying not to drown in malware.
Decide encryption would be too high a barrier for employees trying to use the WLAN to work wherever they are in the building, and you'll spend yourself broke buying bandwidth or decide you can live with a WLAN saturated by leeches who'd rather use your IP address than their own to download pirate files.
If you build applications rather than just support them the specific issues are different, but it is at least as important for them to build systems without gaping, obvious flaws that can be exploited by the most common type of attack.
Attacks like SQL injections, which were used to take down at least 18 Sony sites and networks earlier this year by, apparently, every hacker in the world, waiting in single file to attack another site as soon as the previous hacker was finished.
XSS (cross-site scripting) is so well-known and widely-exploited a vulnerability that elementary school kids use XSS exploits to log in to their accounts at school because it's simpler than trying to remember a good password.