Don't neglect desktop when it comes to security

Computerworld - Microsoft finally allows some user control of cookies with Internet Explorer. Napster appears on tens of millions of PCs, and security experts wonder if hackers could use it to invade a system. Advocacy groups express alarm at the amount of user profiling on many corporate sites.
Issues for consumers? Of course, but don't shrug them off. Client security has become the most neglected and vulnerable link in the corporate IT infrastructure.
Sometimes the problem is blatant, like unsecured dial-in lines connected directly to a PC. According to George Kurtz, one of the authors of Hacking Exposed (Osborne/McGraw Hill; 1999) and CEO of Foundstone Inc., a security consulting company, it's possible to break into a corporate network through dial-up connections more than 90% of the time. That risk extends to the home, where PCs - especially with always-on, high-speed Internet connections - get probed 10 to 20 times a day.
Since most home PCs aren't configured to detect and repel such advances, the chances are significant that the more criminally minded could take over such machines. Add a VPN connection into a company's network, and the entire business - potentially - is laid open. Software such as Napster or Gnutella actually invite outsiders onto a hard drive to swap MP3 files. Can a user get anything more than music? There have been no reports of a security failure in such applications, but who would have thought a flaw in Microsoft Outlook (now corrected) would allow hackers to have it run software, like a virus, for them? Betting on the invulnerability of code is like using the lottery as a sole form of retirement planning. Think Napster is missing from your clients? Kurtz tells of finding the program on the production server of a major e-commerce company.
And it gets worse. Imagine that someone could look over the shoulders of developers, engineers, marketing people and business planners to track the Web sites they opened. Those performing product or market research on the Web could leave a visible trail. Such information would be a gold mine to competitors. Even cookies could provide much of this information, let alone surreptitiously placed sniffer programs, and we haven't even started talking about breaking into e-mail. Whether the competitor does the actual snooping or simply buys the information from a third party is immaterial.
Security spending and awareness are typically directed toward servers. It's time to remember that the biggest breach happens at the weakest link in the chain: the desktop. Corporations should treat client machines seriouslyby thoroughly examining security and updating end-user policies. Insist that Internet software vendors provide strong privacy control. Sure, adding such abilities means that gathering information on your customers would be harder, and that would make the marketing department unhappy, but is selling an extra widget to John Smith really worth leaving the company's back door unlocked?
ERIK SHERMAN is a writer in Marshfield, Mass., who regularly covers technology and business issues. Contact him at esherman@reporters.net.