There is an interesting running discussion at reddit.com/netsec Started by Brian Krebs (the #2 site in Security News Analyzed)
The question was ‘Why do you think organizations seem to prefer “learning these lessons the hard way”?’ And here is Brian’s answer
{ But in the end I think it comes down to a lack of leadership and imagination among senior leaders of an organization. Effective leaders at effective companies know the value of all their IT assets and all that those assets support, and recognize that an ounce of prevention is worth a pound of cure. The leaders who discount the value investing in the people, processes and technology to help them gain the situational awareness required to prevent and/or manage cyber attacks soon find that the attackers have a much keener sense of the value of those things. You’ve heard the saying, “a fool and his money soon part ways”? The same is true of leaders who don’t invest adequately in protecting their networks, except what’s at stake is far more intangible and invaluable than money; it’s trade secrets, brand loyalty, market share, public perception, class action lawsuits, etc.}
Even if Brian is 50-75% accurate we are in deep trouble as a society.
The most interesting point to me was “The leaders who discount the value in vesting in people, process, and technology to help them gain the situational awareness required to prevent and/or manage cyber attacks soon find that the attackers have a much keener sense of the value of those things.”
As usual the culprit is a form of intellectual laziness. A combination of oblivious pride where the attitude of “who me? Why would they attack us?” To a function of my personnel says we are safe.
What is a relatively easy solution to MAKE SURE that security techniques are being taken care of?
Testing of course…
And don’t forget the human angle (story at informationsecuritybuzz.com):
http://www.informationsecuritybuzz.com/prolific-cybercrime-gang-favours-legit-login-credentials/
Simple password discipline and other tricks which reveal information are easy to solve for the hacker, rather than some complex attacks.
And the answer is?
Yes the simple answer is for internal and external audits to IT functions
http://oversitesentry.com/contact-us/