Cyber crooks raided networks, pillaged data, and wreaked havoc in 2011, thanks to our persistently shoddy IT security practices In the world of IT security, 2011 was a great year — for cyber criminals. One exception would be a certain Russian cyber crime ring pushing spam for meds. But outside of that global aberration, it’s been a good year for the villainy of the Internet, in part thanks to end-users and organizations who have once again failed to take basic steps to protect themselves from attacks.Few companies, if any, were patching in 2011, not even enough so to prevent the most common malware attacks. I’ve yet to visit a single company that has adequately patched Adobe Reader, Adobe Flash, or Java, all of show up on top 10 lists of the most exploited client-side software, month after month. Whenever people tell me they have high confidence in their great patching, I always check for those three products, and the customer is always — I repeat, always — unpatched. I’ve yet to find a client that had all their Internet-facing routers patched. Never. It’s been 20 years.[ Also on InfoWorld.com: Catch up on the major changes that took place in 2011 for cloud computing and the consumerization of IT. | Look ahead to the IT jobs landscape and developer trends for 2012. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]Luckily for most cyber criminals, end-users still readily use the same password among most of their websites. Attackers were eagerly compromising the weakest websites to swipe credentials for breaking in to into the more secure, more popular websites. That phenomenon has driven some site operators to reset all user passwords. We’re all sharing the same pool apparently. Advanced persistent threats remained a huge problem in 2011. We had documented, coordinated, long-term, successful attacks against much of our critical infrastructure, including government and military targets, nuclear labs, the chemical sector, and energy and water utilities. (I apologize if I left your sector out.)I don’t know a single security expert with hands-on APT experience who doesn’t think that every large company in the world is already thoroughly hacked. That’s a startling statement, and the best you’ll get out of critics is that maybe not all are hacked, just most. I’m not sure I can celebrate that potential silver lining. In 2011, we started to see how incidences of hacks causing millions of dollars in reputational damage, such as the attacks on RSA and the Sony PlayStation Network. But it doesn’t even take that much damage to end your company completely. Multiple digital certification authorities are no more.Truly weaponized worms emerged in 2011. There is no better example than Stuxnet. Stuxnet was discovered in June 2010, but it wasn’t until 2011, after heavy analysis, that we all understood just what it could do and how well. It was likely the world’s first known cyber warfare malware program meant to take out a Cold War hard asset. Cyber Cold War anyone? Well, thugs were paying attention, and now we have Duqu, which is sort of an automated APT attack. How wonderful — now we get the benefits of both worlds.After nearly a decade of pundits declaring, “This year will be the year mobile malware takes off,” it finally happened in 2011. Android is powering great phones, and it’s even severely cut into Apple’s market share. Unfortunately, the malware crews have noticed and jumped at the chance to take advantage of Google’s more open ecosystem. Expect future mobile app stores to implement code checking before allowing apps to be published. Anything else would be uncivilized.Some people may point to lower spam rates and phishing levels as a security victory in 2011. Some of that has to do with the Russian botnet takedowns, most of it has to do with the fact that hackers are embracing more targeted, successful attacks. It’s not like most of the Internet’s email traffic still isn’t malicious — it is. “But we have DNSSEC now,” critics may say. Yeah, let me know when your company has it fully implemented.If there is anything to celebrate from 2011, it’s that the sorry state of IT insecurity has gotten so bad that we must be getting close to a fix. It’s like dealing with an addiction: The first step is admitting that we have a problem that will not go away without intervention. We even know how to fix everything. We just need to take that first step.This story, “Mobile security fails the history lesson,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter. Related content analysis The 5 types of cyber attack you're most likely to face Don't be distracted by the exploit of the week. Invest your time and money defending against the threats you're apt to confront By Roger Grimes Aug 21, 2017 7 mins Phishing Malware Social Engineering analysis 'Jump boxes' and SAWs improve security, if you set them up right Organizations consistently and reliably using one or both of these approaches have far less risk than those that do not. By Roger Grimes Jul 26, 2017 13 mins Authentication Access Control Data and Information Security analysis Attention, 'red team' hackers: Stay on target You hire elite hackers to break your defenses and expose vulnerabilities -- not to be distracted by the pursuit of obscure flaws By Roger Grimes Dec 08, 2015 4 mins Hacking Data and Information Security Network Security analysis 4 do's and don'ts for safer holiday computing It's the season for scams, hacks, and malware attacks. But contrary to what you've heard, you can avoid being a victim pretty easily By Roger Grimes Dec 01, 2015 4 mins Phishing Malware Patch Management Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe