As Microsoft picks up the pieces, security experts are queuing up
to tell us: no one is safe. Now might be a good time to convey that
message to your skinflint financial director - or, if you work for
a dotcom, your hapless chief exec.
The Microsoft hack shows that the costs in business confidence
of a security breach can be incalculable.
There is one concrete lesson to be learned, however. If, as
reported, the hack was perpetrated using the QAZ trojan, which
found the passwords and mailed them back to St Petersburg, this was
a preventable crime.
QAZ was discovered in June, and the anti-virus industry issued
protection software as early as August. Security experts are
speculating that, given the number of hacking attempts Microsoft
suffers each week, the attackers deliberately chose a low-level
attack: something that would be lost amid the "noise" of similar
attempts and would not ring alarm bells.
Security specialists are constantly telling us that information
security is primarily a question of human systems - not hardware
and software.
You can program and build systems to resist most attacks: but no
system alone can combat what the Russians call "maskirovka" - the
devastating blow hidden behind a calculated facade of
mundanity.
So read our lips: you need a security policy and the human
expertise to back it up.