InfoWorld - Security Adviser: 5 lessons from companies that get computer security right

/Home/Internet Security: Blogs/Internet Security: InfoWorld blog/InfoWorld: Security Adviser 2014

Computer security is in tatters -- but not everywhere. Learn from the companies that know what they're doing

By Roger A. Grimes
JUNE 03, 2014

Most organizations are very bad at computer security.

They don't patch well, and they have short, simple passwords that don't expire. They have dozens to hundreds of people in elevated groups. They don't have a clue who has which permissions in their environment. Their networks are flat and often wide open to hundreds of contractors, business partners, and vendors. Defenses aren't appropriately prioritized, and they try and fail to accomplish dozens of projects at the same time. My average security audit findings report is well over 100 pages long and often contains dozens and dozens of critical findings.

It's no wonder companies get hacked successfully all the time.

Yet there are jewels in the rough. I know of a handful of companies that, despite the usual security challenges, seldom get hacked successfully. They implement a few defenses that are so successful at repelling badness that they outweigh other stuff that might have been missed.

I've discussed a few of these companies in the past, and in the intervening years, they have continued to offer a showcase for success. Unfortunately, I can't get any of them to let me brag about them by name -- probably a smart decision.

Each of these successful companies takes many measures to remain secure, but they also have commonalities. These are shared traits of highly successfully secured companies:

Click the URL above to read the full article