"Not educating/training the end user in basic security measures is a problem," he says. "All the security and money spent is useless if the end user continues to click on e-mail links, tape the password to the computer and surf porn sights. The biggest bang for the security buck is user education."
4. Too much access for too many
Most respondents agreed a lack of access control is the sin that has sent many a company down the road to trouble.
"The biggest failure I've seen is the lack of management support for the necessary expenditures and for the ongoing need to have a clear, working policy on who has authority to do what, who's responsible for granting or denying access, who's responsible for vetting changes, and having it all done in such a manner as to not be too cumbersome on the operations of the company," says Toivo Voll, a network administrator for an educational institution in the southeast.
George Johnson, chief security officer at the National Center for Crisis and Continuity Coordination (NC4), says IT shops often assign everyone administrative access to reduce the workload tighter controls involve. This, he says, is a recipe for a massive compromise.
But the opposite practice of allowing only executives administrative access while locking everyone else out is fraught with danger as well.
"Hackers are targeting execs -- a tactic called 'whaling' -- so this is a huge risk," Johnson says. "It also severely damages the credibility of the security mission when it is obvious that the boss doesn't care about it. Culture springs from the top."
This summer's incident in San Francisco provides another illustration of the risks of putting too much control in one person's hands. A network administrator for the city was able to lock everyone else out of a critical system.
5. Lax patching procedures
A common security failure often stems from a company's inability to keep up with all the patches needed on the network's various devices. Proof of this problem was offered in a recent study from Verizon showing that 90 percent of successful exploits these days involve vulnerabilities for which a patch has been available for six months or longer.