How Much for a BlackBerry?

The Hole: This tale has been told so often that it is teetering on the brink of urban legend status: Back in 2003, a former Morgan Stanley executive, apparently with no more use for his BlackBerry, sold the device on eBay for a whopping $US15.50.

The Problem : The surprised buyer soon found out that the BlackBerry still contained hundreds of confidential Morgan Stanley e-mails, according to a Forrester report.

The Solution: First, users with handhelds, laptops and other devices need to be made to understand what's really at stake. "It's not the laptops that are the issue; it's what's on them," says Forrester's Friedlander. Second, CIOs need to institute a repeatable and enforceable policy for device and access management - even for high-powered executives. When someone leaves the company, he should have to turn in all of his corporate-issued devices, and IS should lock him out of all applications to which he had access. "If you have 1000 users, there should be 1000 accounts," says the CISO of a large financial services company. "So why are there 1400? Because people who have left still have authority to log in." According to the Forrester report, Morgan Stanley did have a policy that stated that mobile devices should be returned to IS for "data cleansing", but this exec must have slipped through the front door.

Another huge problem is those long-time employees who move around the company and retain access to data associated with their previous jobs even though it's unrelated to their new position, says Jeffrey Margolies, lead for Accenture's security services and identity management practice. "They accumulate access over time, and they are an audit nightmare."

A solution is to set up one place (whether it's a Web site or paper form) where employees can request access to applications, Margolies says. CIOs need a policy that states who has access to what systems and why, with IT, HR and security getting to make the decisions. "Over the last 10 years, we have built hundreds of applications, and every single application has its own way of [determining] access and managing that access," he says. "But just [giving people] one place to go and [saying] just fill out this form - even if it's paper - the level of confusion is reduced."

IM Not OK

The Hole: One of your top sales guys is a huge believer in instant messaging. In fact, he's been using a consumer-grade IM client to communicate with his customers for years. And this hypothetical salesman's IM name fits his personality perfectly: Top Dog.

The Problem: There are three, says Osterman of Osterman Research. First, security: A consumer-grade IM client used on a corporate system will bypass all antivirus and spam software. Second, compliance: Consumer-grade IM clients don't have auditing and logging capabilities for regulatory compliance. And third, name-space control: If Top Dog takes a job at your competitor, rest assured he's taking his IM name - and your key customers - with him. "There's no clue to the outside world that he left," Osterman says.

The Solution: The first step is for CIOs to admit to themselves that consumer-grade IM could be running rampant in their organizations. Osterman estimates that 30 percent of all e-mail users are instant messaging these days. Like e-mail, CIOs need to develop an acceptable-use policy and make sure everyone understands it. Then CIOs have two options: Allow consumer-grade IM to remain in place and deploy a system that will provide any number of security functions, such as blocking file transfers or mapping IM screen names to corporate identities, says Osterman. Alternatively, CIOs can replace consumer-grade IM tools with an enterprise-grade system. "This can be a more expensive and disruptive option, but it's one that many organizations are choosing," Osterman says.

Unwired and Unsafe Workers

The Hole: The CISO of the financial services company shares this nightmare: An executive decides she wants to put a wireless access point in her house so she can work at home from anywhere in her house. Her son gets her up and running. She wirelessly logs into the network, and she uses the default password for the connection that came straight out of the box.

The Problem: "Go to every single hacker site, and you can find every default password and user ID [for wireless routers]," says the CISO. "Home PCs are one of the greatest vulnerabilities." And once this executive authenticates, others can see how she did it, "then people are in", the CISO says.

The Solution: Back to the basics with this one. CIOs need to make sure all employees who work from home know that they have to change all the default settings, and they can't forget about firewall, VPN, antivirus patching and authentication tools. That all takes an omnipresent security education program, but to this CISO, it's the cost of doing business today. "The struggle with security education is getting it so it becomes like breathing," the CISO says. "Users have to become smarter about how they do things."

40 Million "Served"

The Hole: In June, MasterCard announced that CardSystems Solutions, a third-party processor of credit card transactions for MasterCard, Visa, American Express and Discover, allowed an unauthorized individual to infiltrate its network and access cardholder data.

The Problem: Up to 40 million cardholders' information could have been exposed. It turns out CardSystems had violated its agreement with the credit card companies: It was not allowed to store cardholders' account information on its systems, and yet it did just that.

The Solution: If a company has an agreement not to store another company's data on its systems, it shouldn't. And if for some strange reason it becomes necessary, the company had better ensure that it has the necessary controls. "All of those cases of breaches speak to the need for a good, old-fashioned defence, in-depth, with multiple layers of control," says PwC's Lobel. For example, he says, instead of just having a firewall, companies should have multiple layers of controls on their network. Or rather than just using SSL, companies need to use authentication too. "You get into the security versus ease-of-use trade-off and cost," he says. "That's the decision that businesses have to make with their eyes wide open."

In the end, how a company views security and protects its customers' and employees' data will have a direct correlation to its longevity. In the case of CardSystems, in July both Visa and American Express said they no longer wanted to do business with the company.