A fascinating part of performing IT Security Audits at a customer is ‘the human factor’.
You might have installed the most advanced firewall on earth to keep cyber criminals out and paid insane amounts of dollars, the reality is that when a phishing mail slips through your net and an unsuspecting user clicks open that one attachment that “looks pretty interesting” you might as well have burned your firewall dollars. The chain breaks where it’s weakest and it’s always somewhere inside the company where you least expect it.
The image of the hacker, a hooded figure lurking in the shadows, a socially awkward loner out for revenge against your company, is a depiction that Hollywood helps maintain. The reality is you should have a lot more fear for that fresh-faced intern that thinks he’s a computer genius or even more scary : the people in your IT staff. Their level of professionalism determine your level of security. I used to be one of these folks and I know most of them are so overwhelmed by the day-to-day troubleshooting that security seems some far-off concern.
The problem is that being aware of security sometimes diminishes user-friendliness. It’s a pain to have to remember a complex password and to change it every 2 weeks, so people don’t do it. The admins allow simple passwords that never expire, an employee tells his password to a coworker and soon everyone knows it. Or even worse, the administrator password is something that is widely known throughout the company.
The CEO is usually horrified when he finds out what happens inside his company that he simply wasn’t aware of. We have yet to encounter the first company where there weren’t any loopholes that could be exploited.
The good thing is that with the news events from the last few years that people start to realize some things need to change. Until very recently it took an incident to wake companies up. An incident that will have cost them a vast amount of money or sometimes worse : damage to their reputations. Now this is changing. Companies are proactively looking for external help in order to audit their IT security and knowing exactly where to harden their security. The psychology towards IT security is changing. Having your company breached or confidence tricksters parting with your money because of lack of training of the employees is not something a CEO is looking forward to.
Better safe then sorry. Right ?
If you’re interested in an IT-audit or want to know more, shoot us an email at firstname.lastname@example.org (without malware attached to it please) .