By Jeff Cann, CIO, Encore Electric, Inc.
Recently, social media giant Facebook announced that a security breach exposed the accounts of 50 million of its users. There will be significant impacts caused by this breach and it is another example of why information security is scaring not only CIOs but all of their executive colleagues–at every business.
Encore Electric, Inc. follows IT best practices such as: consistent employee training on social engineering and phishing, regular security patching, and we do not allow windows admin access for employees. However, we decided earlier this year to conduct our first-ever third party security audit.
We interviewed three firms, each with excellent credentials. We settled on one that spent a week visiting 4 locations where employees work–two offices and two construction sites. The external company turned up issues across 13 assessment categories.
It was a fruitful experience. Our environment is more secure and our IT team is more security-minded. I would offer four reasons why I recommend a third-party security assessment:
1. Best practices–IT professionals use best practices because they are effective. Our teams often do not have the time or resources to examine all aspects of our IT environments and believe that best practices will ensure that our specific environments are not vulnerable.
This sentiment leads to a false sense of security because when it comes to finding security vulnerabilities, it is necessary to examine everything in the environment that is connected to your company’s network. There’s no shortcuts and the third party will find vulnerabilities your team could not foresee.
2. IT systems are complex–When I was a software engineer, we lived by an adage: all software has bugs. Despite the best efforts of most commercial software manufacturers, it is not possible to eliminate all security vulnerabilities. It is likely that the third party team will find vulnerabilities in the commercial software you use that is not yet fixed (or reported) to the software manufacturer. Most appreciate the feedback when you report a vulnerability.
3. IT people don’t think like hackers–The IT people on your staff are as smart as the hackers but do not spend their time thinking of devious ways to infiltrate your infrastructure. A good third-party security firm employs people that have the skills to infiltrate your infrastructure. They will surprise you with their ingenuity to break into your systems so that your IT team will begin to view the infrastructure as a hacker, instead of an IT administrator.
4. Everyone’s a target–At a recent industry IT event, a “white hat” security expert / hacker delivered a sobering case study on his methods for a social engineering attack. He reminded the audience that “bad guys are port scanning the internet, looking for any open doors. They don’t care what door is open.”
Many IT leaders believe that their company is not a target because of the industry or the size of the company. The fact is hackers don’t care who they target. You have to take the initiative to prevent a security breach.
So do not delay. Speak with your company leadership and budget for an effective IT security assessment. The assessment help security your company’s information. It will heighten your team’s awareness of security. It will provide some comfort to your company’s employees and leadership that the IT team is managing risk. Finally, you as the IT leader will sleep better.