7 security mistakes companies make

Computerworld - This year I presented a series of talks on common security mistakes at conferences around the country. During these sessions, I learned from many of you what security mistakes persist in small and large organizations. Here are seven of the most significant ones.
1. Failure to realize that perimeter security is dead
Once upon a time, a firewall was an effective perimeter defense. But times have changed, and many companies have punched holes in their firewalls for vendor access, extranets, virtual private networks and a litany of "one-offs" that make our firewalls resemble Swiss cheese. Online threats have matured as well, coming in on ports not easily closed. VPNs, roaming laptops and wireless handheld devices also present new opportunities for threat vectors to do an end run into corporate networks.
Firewalls are still essential for defense, although most newer threats ignore firewalls because there are more lucrative opportunities.
The "virtual perimeter" consists of your corporate firewall, plus all of your business partners, vendors, remote users and wireless handheld devices. All of these represent entry points for communication -- and threats.
2. Failure to protect laptop computers
Many organizations are stuck in the time warp where antivirus software was enough to protect laptop computers.
Antispyware, of course, is essential. But other threats are unanswered, such as the loss of information when a laptop computer is lost or stolen. With hard drives from 40GB to 100GB available, a laptop can easily carry all of an organization's vital information, including customers, strategic plans, product designs and specifications. Yet most organizations don't bother to encrypt this information despite its strategic value.

Further, a corporate network is extended from its four walls to its laptop when it is connected via VPN, but most companies don't implement a firewall on the laptop to protect not only the laptop but also the entire corporate network from well-known threats.
3. Failure to institute effective change management
Complex information systems and networks have many stewards: network engineers, system administrators, database administrators, developers and operations engineers. Many organizations still permit some or all of these employees to make changes to production systems without justification, peer review, approval or record keeping.
For example, system administrators and network engineers -- even in critical infrastructure organizations -- make little changes here and there and tell no one. Rogue changes lead to system errors, unexpected downtime and security breaches -- noticed or not.
Change management is the full life-cycle process used to manage every change made to a production (and perhaps, development and test)