Along the lines of the other great answers: Customers. Many companies assume a trust relationship with their customers because they have their information. They would not dare betray that trust! So while firewalls, SSL, and access controls are in place to keep the random thief out, all an attacker has to do to get access is sign up as a customer. They provide a credit card (often stolen) and they are in. Lexis Nexis had this issue several years ago. A customer paid $250 for monthly access and then ran 70,000 scripted queries against their database in an attempt to steal everything they had.

BNSF railroads used to allow customers to log in to a special service to order the movement of rail cars. Usernames were up to five letter representation of the company name, passwords were the same thing! Guess what Sony's username/password was?

Beware your customers!

Amy Babinchak

Managing Partner, Third Tier & Harbor Computer Services

Posted on Jan. 18, 2011

Recommended by:
Richard Stiennon

There are great answers posted here so far. The number one security hole is definetely people. Our clients that are doing the best job at managing people for security are using software that monitors and reports back to the user themselves. We have found it most effective to provide this tool to users to help them manage their own security and productivity. Of course management has access to the data as well, but our method allows users to improve their own records. Staff security is both an IT and Human Resource issue after all.

There are a couple of other often over looked items:

Mobile data - those laptops, netbooks etc should be encrypted. The technology is available and either built-in or inexpensive. There's no reason a business should leave their data volnerable to theft out of the office.

Desktop PC's - An alarming number of businesses, even those managed by professional IT staff, are not updating their computers with the latest security patches, service packs, etc. Every software manufacturer releases updates on a regular basis and hackers learn from those updates what to attack and how to do it. If you don't apply to patch you are leaving yourself vulnerable. Adobe and Java are the two most over looked applications that are causing most malware infections today.

Steve Heusser

Operations Manager, SolutionPro Inc

Posted on Jan. 14, 2011

Alex,

From my experience the biggest security risks that are often overlook are those that deal with PC’s, company personnel use policies, and physical access. A high level of trust is put into employees as well as what ever AV product is put on the machines. End users are allowed admin or super user control of their machines in many cases. It is a sure thing that you will find someone in this group who has installed software that makes their PC vulnerable. The policies of how the end users access the network and the policies around passwords are a huge glaring hole. You can find passwords written down, find unlocked PC’s, or just hear people telling their passwords to co-workers. The physical access is often overlooked placing a PC on the corporate network in a public place. Given a small amount of time someone could easily use this to exploit data.

Alan Dash

Technology Designer/Consultant , Syska Hennessy Group

Posted on Jan. 14, 2011

Great points Steve....and wireless networks too. I can't count the number of buildings I've been in where they have the AP hidden above the ceiling and I see the antenna (if it's a pad) or the tile marked with all the info I need to get into the device and into the network. Please folks, mark your AP's not with the names that help me, but mark them as the location that they are in. None of this 192.168.5.4 stuff, but how about 'AP NE Corner 2nd Floor'.

Also....change the passwords more often on the network gear. All too often an employee quits or is otherwise given the op to find a new position and none of the passwords are changed. Internal hits out number external hits day in and day out.

Simon Kissler

Chief Technology Officer, IHETS

Posted on Jan. 16, 2011

In my experience the top security hole is and continues to be people. Social engineering somebody in the company to give out sensitive information needed to gain access to resources and/or construct a profile that eventually gains access to information is to this day still the easiest way to penetrate any security infrastructure when performing audits. Many professions are trained to be helpful above all and often don't understand that seemingly simple information when combined with other information available through searches, company website, or other public records can quickly yield a very usable profile. The moment I have actual valid access information, all bets are off on any security infrastructure, best practice, etc.

Glen Marshall

Principal, Grok-A-Lot, LLC

Posted on Jan. 22, 2011

The single biggest type of security holes is your own employees. Unverified trust in one's employees is the largest source of confidentiality breaches. And they are the easiest to compromise. You can't get a piece of technology drunk, blackmail it, or use social engineering ruses on it to gain access.

Daniele Cardesi

Sales Director, Sysnet IT Solutions

Posted on Jan. 25, 2011

Probably isn't the bigges,t but for sure is the most disowned and underrated: the telephony security.
Many companies are moving from legacy to ip telephony without take in consideration:
- toll fraud on voip systems
- how is simply to register and listen voip calls with freeware sniffer applications
- the increase of low cost gsm tapping tools
- the hacking of telephony systems to compromise the stability
- fixed and mobile convergence, unified communications and security problems

Tipically we receive many customer requests when the problem is just occured, but an IT manager can comprehend the problem to prevent it. For that the market is moving to voip encryption, with mobile and fixed convergence, and specific voip firewalling solutions.