Defaults. Every piece of hardware ships with a default username and password. Some have default network names, security keys, or SSIDs. There are lists of these defaults on the Internet, and every hacker has a copy of the list. Take the time to change the defaults unless you want to host a bunch of tenth-grade hackers on your corporate server.

Training. No one really likes training, whether they're giving or taking the class. But that doesn't mean training isn't critical. I can't count the number of times I've heard a user say, "I didn't know we weren't supposed to do that!" after allowing criminals to run amok in the enterprise network. Make the time to train every user, and build additional training and refresher courses into the employee system.

Bad Passwords. No, Sparky, spelling your username backwards as a password isn't brilliant. It is marginally better than simply repeating your username as the password, but the margin isn't huge. It doesn't take long to create a system of passwords that you can remember, that are long enough to be difficult to brute-force, and that don't involve your name or your birthday. Figure it out.

The magic bullet. "We've installed the DunderWall V19.6, and it makes every device impervious to every attack." If your system is still usable, it's vulnerable. I'm a big believer in the Swiss cheese model of security -- you know, the one where you acknowledge that there are likely to be holes, you've just made the block thick enough so that none of them go all the way through. I've yet to find that magic bullet, and your company is still looking, too.

Our programmers are brilliant. They may be, but experience says if they've built a Web-facing application, they've created some vulnerabilities. Depending on their level of sloth, they may leave small, subtle holes or large, gaping holes, but you should count on security issues. This isn't to denigrate the programmers -- they were hired for their strengths in programming, not security. Build additional layers of security around their work, and everyone will sleep better.

We remember. You've gotten the old-time password religion and decided that everyone needs a 16-digit strong password with no string that can be found in a three-character dictionary lookup, at least four punctuation marks, and an even distribution of characters and numbers. The password must be changed every 30 days, and no one, under pain of dismissal, can write it down. Oh, yes, you don't believe single sign-on is secure, so every application and network segment has its own password, and they must all conform to the corporate standard. Get real. You've just made things so ridiculous that you practically require your employees to break the rules. Good multi-factor authentication, yes; ludicrous memorization requirements, no.

Free hotspots. Who doesn't love a good, free wireless hotspot? Most corporate security folks could do without them, especially when they're near a bogus hotspot set up by an enterprising hacker. If you haven't taken the time to train your users in the difference between "ad hoc" and "infrastructure" connections, you'll hate free hotspots a lot more.

Free software. Software, photos, gadgets. Geegaws. Bright shiny strings. Convincing users that they aren't helping when they bring in the latest freeware can be a full-time job. Train your users that they shouldn't bring random freeware crap to the table, and keep the ports closed.