Lack of Awareness
In their day-to-day routine, regular users aren't actually aware of computer security implications until something wrong actually happens. To be more specific, you can't realize the magnitude or the impact of cybercrime activities before having your e-mail account hacked or your on-line banking session intercepted and accounts emptied. It's pretty much the same as with car accidents – you hear people talking about them, you see them on TV and read about them in newspapers, but until you are effectively involved in one (God forbid!), you don't know what they’re all about.
Attacks aiming to exploit security breaches are more likely to target public or private organizations, rather than individual users (the stakes are higher with the former). As usually businesses operate with networks rather than with standalone workstations, the possibility of their being entirely compromised increases in proportion to several factors, some of the most important being: the number of users, users’ degree of computer security literacy, the nature of the defense policies in effect, the architecture of the security strategy at work and, last but not least, the type of organization and its activities. Just open the technology section of any newspaper or search the Internet and you will get a pretty clear picture about…
Misunderstanding Computer Security
Once awareness of today's security risks is raised, the appropriate strategy that matches the specific security needs of the business should be applied next. Technically speaking, there are three major rules of thumb which could offer a good starting point for any company (and individual, for that matter) in tailoring its data security choices. Disregarding any of them means creating the opportunity for a potential breach.
First off, any protection is better than no protection at all. When dealing with e-threats, having no defensive solution installed on a system is like leaving all doors and windows wide open while you are on vacation.
Second, protection should be chosen based on security necessities – that is although they struggle with the same e-threats, home and corporate users may have slightly different expectations in this respect.
Third, there is no such thing as “enough” security. This implies that security is a continuous process, rather than the simple installation of an antivirus on a computer. It’s a permanent application of on-line safety principles as well as the capacity to anticipate and respond to newly emerging e-threats. At least from this point of view, security is a mid- to long term investment and it does not end with the deployment of a simple defensive solution.
Neglecting the Human Factor
Probably the most important reasons of all is the human factor. The reduced level of awareness, the lack of IT&C security education and the absence of security policies reinforcement, especially in the public sector and large corporations are responsible for most of the damages, both in terms of compromising systems and networks, but also when it comes to disclosing sensitive data, information theft and even malware dissemination.