Nearly two-thirds of information security managers in the United States report that their businesses have been targetted by advanced persistent threats -- and 72% expect to see such attacks persist in the future. Furthermore, 30% of security managers at large enterprises rate their business as being vulnerable to such attacks in the future, according to a US Enterprise Strategy Group. (10.11.2011) This came to light when Kevin Stepper, Managing Director of Lake Consult, delivered a paper on Network and Internet Security at the 7th Forum of the Ghanaian-German Economic Association’s forum this year, on the topic “Ensuring Quality Control Standards and Optimising Security at Homes and Workplaces”…. adding that these statistics can be applied globally, since the trend is similar elsewhere. Mr. Stepper noted that information security objectives are confidentiality in maintaining the privacy of data, integrity in detecting that the data is not tampered with, and authenticity in establishing proof of identity among others. He mentioned common security problems such as network eavesdropping, malicious data modification, address spoofing and ‘man in the middle’ (inception), denial of service attacks, and application-layer attacks. In most cases, 49% are inside employees on the internal network; 17% come from dial-up or mobile devices; and 34% are external or an external connection of some sort. Citing a survey on US small-businesses by Symantec and the National Cyber Security Alliance, Mr. Stepper said 80% are without a formal internal security policy; of that number, half are also without an informal policy. 45% do not provide Internet safety training to employees, and 48% without a plan or skills to react to a security breach. He said statistics indicate that 40% of all hackers target companies with less than 500 employees, and most handle confidential customer data, credit-card info etc. He said the average cost of a cyber-attack for a small business is US$188,000. He was therefore emphatic that hackers go after the little guys because they know security is lacking. His observations in Ghana are that there are no formal or informal policies, very poor password policies, no multilevel authentication, and unprotected WLANS and LANS. Others are that servers and PCs are widely open to the Internet; no security on mobile devices; no monitoring of Internet usage; and no restriction of Internet usage. He also stated the problems of employees unknowingly visiting malicious sites; employees involved in criminal activities; un-patched servers and devices; and free/outdated antivirus/antimalware software were also cited. Solutions advanced for mobile solutions are protecting access points; encrypting data-traffic and VLAN; and protecting data in case of device loss/theft. He also mentioned user-education and considering encrypting email, and employing a secure mail server.