Software suppliers must take much of the responsibility. Microsoft and others are getting to grips with securing operating systems, but there is still a long way to go. Many application developers have yet to secure their products adequately. Increasingly, software applications could become the weak link in corporate security.
But corporate IT departments also have something to answer for. Industry estimates suggest that the most secure organisations have only patched between 30% and 70% of the most critical vulnerabilities. That leaves a large number of corporate systems as sitting targets for hackers and organised criminal groups.
Managing vulnerabilities effectively is not difficult, but it does take organisation. ICI, featured in Computer Weekly this week, is one example of a company that has grasped the nettle. By the end of the year it will have the ability to scan 35,000 devices across sites in 35 countries for security vulnerabilities. ICI will be able to ratchet up its security over time, prioritising problems according to their potential impact, and eliminating them.
Unfortunately, with the problems showing few signs of abating, ICI's approach must become a benchmark for all corporations. The growing threat from organised crime groups has been highlighted dramatically over the past three months, with high-profile hacking cases in the US and the UK. More than one company has suffered severe damage to its reputation and its bottom line after hacking groups copied thousands of customer credit card details from their systems.
In five years, the world will be as astonished at companies that do not run vulnerability scanning, as it is now incredulous at companies that do not have anti-virus software. By then, the battle will have moved on. The next front, the Sans Institute predicts, will be vulnerabilities in printers, photocopies, and other hardware devices that could provide entry points for hackers into the corporate network.
Fixing these hardware-based problems could prove a lot more tricky than the current generation of software-based threats.