One of the nice things about security is that there’s a lot of information out there. In fact, just about everyone has a favorite theory, a pet practice, or even a set of guidelines that will tell you what to do to be safe.

Problem is, not all of those practices will really improve security in your enterprise, and some may even make things worse.

Still, the beliefs about security perpetuate themselves through companies and agencies. They’re viewed as gospel, and in many cases repeated from one expert to another. Most of the time those beliefs – good and bad – are never really put to the test. We just believe them because we’ve heard it all so often. In the process, these security beliefs have become myths.

So when Judy asked me to write about the top 10 security myths, the first thing I had to do is ask around to see what people believed.

There were some doozies out there, but the myths I’m listing here seem to be fairly common. No doubt you’ll have some of your own. You’re welcome to send them to me, email: wayne@rash.org, and maybe we can have another list in a future column.

1. You don’t need personal firewalls if you have a firewall between your enterprise and the Internet.
This belief is quite common in corporate IT departments, but it’s not true. While you should have a firewall between your network and the outside world, it only protects against external threats. You also need a personal firewall to protect against internal threats, including disgruntled employees, people who bring in worms and viruses from home, and people who get caught in phishing attempts.

2. OK, but I still only need one big hardware firewall on my enterprise network, right?
Actually, no. You probably need several. For example, it’s unlikely that your VoIP traffic goes out through the main corporate connection to the Internet, but you need one there. In addition, you need a firewall between your enterprise users and portions of the network containing sensitive data, or that carries sensitive traffic. For example, your HR department and your finance department should have a firewall between their portions of the network and the rest of the enterprise to protect against curious employees or people who may gain access to your network from outside.

3. To be really secure, I need complex passwords that are changed very frequently.
There’s no doubt that a password that consists of sixteen random characters (for example: cX-1rT&d+n7S6tU!) will be hard to guess. But it will also be impossible to remember. This means that such a password will certainly be written down, either on a PostIt Note stuck to the computer, or perhaps in a text file so it can be cut and pasted into the password window. As you can imagine, it's not a very secure strategy to take. A better approach is using something that’s easier to remember, but not obvious. This means that your mother’s middle name should be fine, but using “password” isn’t. For most companies, password guessing is less of a threat than people leaving their passwords lying around in the open.

4. Anti-virus software on each computer is enough, so I don’t also need spyware detection or AV protection on my e-mail server.
Anti-virus software on every client, provided it’s kept up to date religiously and provided that you make sure it stays installed, is a good start. But unless you’re certain that your AV protection will always catch every virus, even on its first day, it pays to have multiple layers of protection, and checking your incoming e-mail with a product such as GFI’s Mail Security is a good way to start. Likewise, AV software doesn’t always detect spyware. And of course, there’s all that spam, and AV software doesn’t protect against that at all.