Information security: debunking the myths.

• Author: Cieslak, David M.
• Position: 2003 Technology & Business Resource Guide

Technology has opened significant new opportunities to small and large businesses. The Internet has become an essential tool for research, communication, conducting commerce and more. Yet always on, high-speed connectivity to the Internet has also brought significant new threats to the security of information resources.

These threats are not new, but continue to increase in sophistication and in their ability to do serious damage. As a result, securing the confidentiality, integrity and availability of mission-critical data has never been more important.

While few individuals or businesses will deny the reality of a cyberattack, many have taken precious few steps to proactively defend their information. I find this puzzling. When it comes to physical security, no one would ever think about leaving without securing the building from unwanted intruders. Yet when it comes to information security, many leave the doors and windows wide open. Their information resources are vulnerable to all sorts of unwanted intruders, who are capable of wreaking havoc within their system. Only after being compromised are issues of information security considered seriously.

I believe this can be traced to five myths regarding information security. In debunking these myths, the true nature of the existing threat and the potential consequences for not adequately preparing become painfully obvious.

MYTH 1: HACKING IS COMPLEX

Hacking tools are readily available and becoming increasingly sophisticated. A simple search of "hacking" on Google, for example, provides a plethora of information, tools and tutorials for the would-be hacker.

And according to the Feb. 26, 2002 issue of PC Magazine, Symantec--the maker of Norton Internet Security 2002--estimates that more than 30,000 websites offered hacking tools and that anyone could learn to hack in 10 minutes.

Increasingly, the perpetrators of cyberattacks are not computer professionals. Fancy certifications aren't required. Junior high and high school kids (aka "script kiddies," "packet monkeys" and "cyberpunks") have enough tech knowledge to spend their free time spreading malicious software and scanning thousands of computers for vulnerable systems.

Once a vulnerable system is identified, the hacker can quickly begin to do serious damage.

MYTH 2: HACKERS ARE ONLY CONCERNED ABOUT HIGH PROFILE COMPANIES

While it's true that Fortune 500 companies such as Microsoft and Yahoo receive lots of attention when their systems are...