This is an excellent article discussing the need to constantly be vigilant of the latest techniques and security vulnerabilities.http://zdnet.com.com/2100%2D1107_2%2D5237315.html
COMMENTARY--When it comes to beating back hackers, too many companies are still asleep at the wheel. Set up to guard against old-style black hats, their defenses have ignored a newer class of sophisticated attackers who take advantage of Internet back alleys and technology loopholes to penetrate corporate networks.
Old-style hacking attacks were direct brute-force affairs: I found some information about your network. Then I went poking around and effectively jiggled the doorknobs of various systems to find an entry point and something worth stealing. All the while, I would make a lot of noise and leave a bunch of fingerprints. So if you were entirely oblivious, I'd be home free.
Modern hacks aren't quite so obvious. Remember the old "Three Stooges" skits when the boys would knock out some guards, dress up in their uniforms and then skip freely past a watchman? That's kind of how it works. Hackers look for a place with a lot of traffic; a university or an Internet service provider network with many unaffiliated users is perfect. The hacker compromises every system in this high-traffic network by attacking well-known vulnerabilities. This brings in the booty: PCs with virtual private network (VPN) connections to corporate networks. Don't look now, but Larry, Curly and Moe have taken out your security staff and are about to come through the door!
The danger here is the false sense of security. Unfortunately, there is no 80-20 rule when it comes to security. In other words, if you don't have the skills, processes and technology to defend your network against all types of attacks, you are far more vulnerable than you believe. A rogue employee, determined hacker or misconfigured device could end up costing the company millions of dollars in intellectual-property theft, public relations damage, litigation and regulatory fines.
What can be done? The executives have to comprehend and buy into information security. Understanding is key. The CEO can approve the budget for some new security widget, but if she doesn't get what she's paying for, she'll eventually cut off the money supply. Security managers should also conduct a risk assessment and security audit to understand what to protect and how to protect it. There must be a contingency plan for every possible situation.