In anxious times, people look to Uncle Sam to keep them safe. But when it comes to cybersecurity, IT managers don't...
seem to be taking his advice.
Most admitted in a recent survey that they haven't adopted all of the "Seven Simple Computer Security Tips" the Department of Homeland Security's National Infrastructure Protection Center (NIPC) issued in 2002. Half have failed to follow three or more of the guidelines.
Less than half have heeded the government's call for different passwords at each computer and the use of software that requires passwords, the survey found.
"I can't say I'm surprised," said Myron Kerstetter, senior vice president for research firm TheInfoPro Inc. of New York, which surveyed 111 IT managers across a variety of industries in February for network security firm Secure Computing Corp. of Seattle.
The survey, "Basic Insecurity: How Many Businesses are Ignoring Common Sense Security Advice," asked IT managers how often they adhere to the NIPC tips that best apply to businesses and organizations, including practices for passwords, data backup and antivirus software.
The results showed that only 4% of enterprises adopted all seven NIPC suggestions included in the study, and only 50% adopted three or more.
For example, NIPC recommends organizations use passwords that are difficult or impossible to guess, and that different passwords be required for each machine.
Of those asked, 63% said they usually or always require the use of difficult passwords that are just eight characters long and contain numbers or special characters as well as letters.
Only 35 % said they usually or always require different passwords on all accounts, and just 23% always or usually use automated provisioning software that requires that passwords be used.
NIPC also recommends users "make regular backups of critical data at least once each day" and that larger organizations back up systems weekly, with incremental backups every day. "At least once a month the backup media should be verified," the center advises.
Asked about that, 69% said they verify the integrity of back-up data at least monthly.
Kerstetter doesn't believe most businesses are discounting the government's advice. It's just that many of them can't adopt every measure when they factor in staffing, money and the technology they have to work with.
"I don't feel these businesses are out of line," he said. "I think that these days there's still a sense among IT people that they're not always able to do everything that must be done. And there's a lot of dependence and faith in organizations that deal with virus and worm situations that they've taken adequate steps to secure their systems."
He advises IT managers to constantly review where their systems are most vulnerable.
"You must prioritize," Kerstetter said. "There are things you can address and problems you will run into. The key is to have a constant evaluation of where the dangers are financially and technologically and to take the best steps possible."
Some of the results show businesses are doing that.
Almost all of those surveyed said their servers and workstations have functioning antivirus software, and 90% said they update virus signatures at least daily or when available.