????如果一支有電腦行家組建的精銳部隊想要黑進你公司的網絡，他們很可能會得手。不過，如果就連一個閑得無聊的菜鳥黑客也能攻陷你的系統的話，這就有問題了。而且這個問題的根源并不在于公司的技術薄弱，而在于公司的管理。

????以今年四月份開始索尼公司遭受的一系列黑客入侵為例，標槍戰略研究公司（Javelin Strategy & Research）的高級安全性分析師菲爾?布蘭克指出，索尼遭受的一系列黑客入侵是由一個叫LulzSec的組織發起的，這個組織帶有一些惡作劇性質，他們使用的黑客手法極為簡單，連高中生都能掌握。

????黑客襲擊事件之后，索尼對負責網絡安全的管理人員進行了換血。今年五月，索尼公司任命原索尼全球解決方案（Sony Global Solutions）總裁酒井文明為公司的代理首席信息安全官——這是索尼被“黑”后新增設的一個職位。

????布蘭克表示，許多公司都已經設立了專門負責信息安全的高級職位，這標志著他們邁出了重要的第一步。雖說這些負責信息安全的管理人員可能無法阻止技術含量極高的黑客攻擊，但起碼他們可以避免公司出現低級的安全漏洞。美國電信運營商AT&T的首席信息安全官愛德華?阿莫魯索表示，信息安全人員重要的工作，可能就是要把信息安全部門和公司的其他部門整合到一起，而這并不是一個簡單的任務。

????像IT員工一樣，信息安全人員也是動輒滿口術語和行話，不僅其他部門的員工聽不懂，許多高管也摸不著頭腦。

????不過可能是出于情勢所迫，現在高管們對信息安全的術語也是越來越門兒清了。阿莫魯索說道：“過去6個月里發生了一些網絡攻擊事件，它們甚至動搖了某些企業的根本。網絡安全性問題無疑已經成了一個上升到董事會層面的重大問題。”

????任命了負責信息安全的高管后，下一步則是要從每個項目的一開始，就讓信息安全團隊參與其中。這一點非常重要，尤其是在公司各個互不相干的分支機構開發新技術的時候。阿莫魯索表示，信息安全專家常常會在公司的某一個項目里發現漏洞，而他們之前甚至根本不知道這個項目的存在。

????不僅公司的管理層要將信息安全視為頭等要務，信息安全人員本身也要向管理層做出一些妥協，要盡量使自己傳遞的信息變得更加有趣易懂。阿莫魯索表示：“我們都從IT主管那里收到過長達三頁、措辭嚴肅的備忘錄。看完開頭兩句話，你就不知道它下面說的是什么了。這樣是沒法讓人認清問題的。”

????如果執行得力的話，員工的信息安全意識會有助于企業防范一些基本的網絡攻擊。員工往往會犯一些低級的錯誤，比如點擊了一個外部附件，或是點擊了一個陌生的網址，這樣一來，黑客就有了接觸公司信息的機會。

????這些小錯也能釀成大禍。一旦黑客侵入系統，他們就可以對系統內某些看似不相關的信息進行編譯，比如賬戶、生日和電子郵件地址等，然后對它們進行交叉鏈接，從而發動另一輪相當復雜的攻擊。布蘭克表示：“過去人們可以決定哪些信息是值得保護的，哪些是不值得保護的，但是現在這種日子已經一去不復返了。”現在任何信息都需要保護。

????布蘭克還表示，管理人員可以雇傭一些善意的黑客——也就是所謂的“白客”來指點迷津，以避免系統受到某些并非很復雜的攻擊。這樣可以使技術人員知道哪些地方有可能出現問題，以免某些惡意的黑客趁虛而入。

????當然，沒有什么辦法能保證所有信息都絕對安全。但企業只需采取簡單的措施，就可以避免遭受低水平的攻擊。隨著基于網絡的應用程序以及移動設備在企業中的應用越來越廣，信息安全也必將成為管理層經常討論的問題。

????譯者：樸成奎

????If a team of mastermind computer experts wants to hack your company's network, it probably will. But if any rookie hacker with some time to kill can crack your system, that's a problem. And the problem doesn't start with poor technology; it starts with management.

????Take, for example, the series of hacks on Sony (SNE) that began in April: they were launched by a prank hacker group called LulzSec, which used a method so simple that a high school kid could master it, says Phil Blank, senior security analyst at Javelin Strategy & Research.

????In response to the attack, Sony revamped its security management. In May, the company appointed Sony Global Solutions president Fumiaki Sakai as acting chief information security officer -- a position the company didn't have before.

????In fact, many companies have created top-level positions for security information officers, and that's an important first step, Blank says. While security officers may not be able to prevent highly sophisticated attacks, they can help protect companies from simple security breaches. Perhaps their most important job, according to Edward Amoroso, AT&T's (T) chief information security officer, is to integrate the security department with the rest of the company, which is no simple task.

????Like IT employees, information security types tend to speak in a somewhat geekier dialect than the rest of a company's rank-and-file, one that can be hard for many executives to understand.

????But, perhaps out of necessity, executives are becoming better versed in security lingo, Amoroso says: "We've seen some attacks in the last six months that have shaken the very foundation of some of the firms involved. There's no question that computer network security is becoming a board-level issue."

????After putting someone in charge of the security effort, the next step is to include the security team in projects from the get-go. This is important, Amoroso says, especially as disparate branches of companies explore new technology. Often, he says, security experts will discover a breach in a project they didn't even know existed.

????While a company's brass must make information security a priority, security personnel also need to meet management half way by making their messages interesting and accessible, Amoroso says. "We've all gotten those serious, three-page memos from some IT administrator, but by the third sentence, you don't know what they're talking about. That's not the way to do awareness."

????If done effectively, employee awareness can help prevent basic attacks. Employees often make simple mistakes like clicking on a foreign attachment or a link with a strange URL, which allows hackers to access a company's information.

????These small mess-ups can cause a disproportionate amount of damage. Once inside the system, hackers can compile seemingly discrete pieces of information -- account numbers, birthdays, email addresses -- and cross-link them to launch fairly complicated attacks, says Blank: "The days are now gone when people could decide what information is worthy of protection and what is not." Instead, you have to protect it all.

????Blank says that managers can help prevent less sophisticated attacks by hiring benevolent, or "white hat," hackers to try to crack the system. This gives the tech staff a heads up to potential problems before they're rooted out by less benevolent hackers.

????There's no way to secure everything, of course, but companies can prevent low-level hacks by taking a few simple steps. And with web-based applications and mobile devices practically de rigeur in the corporate world, security discussions will need to become even more common among the executive set.