Posted by & filed under General, Security.

Some time ago a co-worker had mentioned someone had been rummaging through her files on her computer. She had expressed some concern over the situation as the files in question were pertaining to a terminated employee. I nodded in sympathy and asked her the following questions:

  • When did this happen?
    Her response: After she had left work for the evening, but before she came in the next day.
  • Did you log-off of your computer in the evening?
    Her response: No.
  • Did you lock your office in the evening?
    Her response: No.
  • Is there anyone currently employed that would have an interest in those files?
    Her response: Yes.
  • Did you tell the Boss?
    Her response: No.

Because the office didn’t have any form of employee tracking, we could not find out who was in the building, let alone who accessed the files. While management was trying find out who did it, I was focusing more on the measures that could have been taken to prevent it. The worker had not logged off her machine or locked her office in the evening. As with all things in IT, the typical process response is always reactive instead of proactive. If the managers had taken my concerns seriously with regards to physical and virtual security months before, the situation would not have happened. This example was the catalyst I needed to affect a change in policy regarding passwords, automatic log-off, and certain aspects of physical security.

balancing-it-security-venn

People, Process, Technology

Everyone has seen the People, Process, Technology Venn diagrams prevalent in business literature. I believe the most effective security practices involve a balance of all three categories to succeed – the process has to be sound, the technology relevant, and the people informed. Relying on any one of these categories too much will surely result in failure. No matter how locked-down a server is, if someone writes their password on a post-it note on the monitor, it is no longer secure. If there is no process in place to direct the people or the technology on the correct actions to take to be secure, it will fail.

Social Engineering

It seems the most vulnerable aspect of security lies in people’s tendency to succumb to social engineering tricks. Medium-sized companies are especially vulnerable as they may not have the means to implement physical security and also lack the close-knit employee base to detect outsiders easily. How easy do you think it would be to walk into a medium-sized company with a Canon shirt and convince them you are there to fix the copier?

I’d like to hear your own experiences with security, including what you think are the most important factors in creating a successful security policy.

(5.00 out of 5)

One Response to “Are people the weak point in IT security?”

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>