The easiest route hackers can take is through employees. The natural reaction of an information-technology department to easy-to-crack passwords and log-ons taped to monitors is to send threatening memos and force monthly password changes.
"There's no reason to change a password that hasn't been compromised," says Simson Garfinkel, founder of Sandstorm Enterprises, which specializes in software for fighting security threats. "The problem is, managers don't know if they have been compromised." He says companies should adopt the "cell phone" policy—kill access as soon as a loss is suspected. This means I.T. should keep track of simultaneous log-ons from different computers or access at uncharacteristic times. "There's no great commercial software to do that now," Garfinkel says, "but you can write something suitable for your situation, or check manually."
Morrow Long, director of Yale University's Information Security Office, says a good starting estimate for a centralized log-on is $1 per user per year. He recently went to a 5-minute account lockout after 10 tries. Windows XP has a lockout setting built in.
Garfinkel suggests using a single sign-on system so users only have to remember one password. "It can be a weak password in conjunction with a smart card or a biometric" such as a thumbprint reader, he says.
All too often, security experts say, training is done badly. Employees are told what to do, with little or no time devoted to why specific security rules are in place. In the Baseline worksheet, we estimate the cost for training sessions with enough time to explain "why."
Tools: Tutorials 
