I think the most significant part of this year's Information Security Breaches Survey is the assertion of 15% of large organisations reporting that they have found intruders in their information systems. That's 15% of organisations who have the time and resources to know about it. Ignorance was never bliss because as soon as the criminals get in let's not give then them the glamour of calling them hackers your information system becomes part of something that you've even less control over. So the world is becoming even more connected and you've suddenly increased your user base: one intrusion and you've added who knows to your professional network.
I remember working with a small penetration testing business that saw its web site as almost fair game and not worth the effort to constantly fight the attacks. Given the perceived failure their customers will interpret an intrusion as, I wonder if they've re-evaluated that policy, especially given the likelihood of an intrusion leaving an unpleasant payload for the unsuspecting visitor. But at least they've got a policy to change. Something to follow; something to believe in rather than having to invent belief of the spot having neither security nor assurance. A security policy doesn't have to be written down in detail of biblical proportions but you do need to make a list. Word processors have long since taken away any excuse for not keeping them up to date.
OK. Yes I know that time hasn't become any more abundant, but setting up the dynamic of listing your security dos and don'ts, referring back to them and keeping tabs as to whether they're implemented are just the foundations for a bit of positive feedback. It gives you a starting point for improvement. Be cybernetically sound. Don't give up hope; learn from others before you have to learn from experience. Security is about faith, stay calm and carry on. That improvement you make today not surfing where you shouldn't, diligently checking that you can restore from your back up could be the one that saves you from a genuine loss of information. Don't let your collective risk attitude muddy a healthy risk appetite (or indeed mix metaphors). You're fighting on three fronts now: the criminals still trying, to hack in, the criminals now wandering around your system with alacrity, and the insider threat some of whom will be indistinguishable from criminals.