I borrowed this subject line from a client. It is such a true statement. How many times have you sat through meetings and had to explain or justify the cost and why certain security measures are being put in place, only to have your plan rejected or watered down. What typically happens at some point is a security breach and immediately following there is a debriefing of the incident and the finger pointing begins. How come we didn’t have a plan? What steps need to be taken to ensure this does not happen again in the future? We spend thousands of dollars on security and we are not protected. Dammed if you do and dammed if you don’t.
There have been some recent high profile security breaches. The breach of the White House perimeter made headlines around the world. A recent article by an airline union claiming security is lax and items could be placed in food also hit the news. I’m sure there are numerous other breaches around the world that do not get picked up by media sources.
How can these breaches occur? What can be done to stop them? The simple answer is ‘if there is a will, there is a way’. No facility can guarantee that they cannot be breached. The firm I work for regularly completes penetration and breach testing for a number of different industries annually. Security quite often takes the blame when a breach occurs. The issue is not just a security issue. Everyone at an organization is responsible for security. We recently had an example where our team breached a shipping entrance that was left open. We gained access and made our way to the elevator of the office tower. We simply looked lost and confused and a kind employee used their card to assist us in activating the elevator. They asked which floor we were going to and even pushed the elevator buttons. Next thing you know, we were on the executive floor. Once again we encounter another set of glass doors that required an access card. After a few minutes, we were greeted by another employee who kindly opened the door and took us to the visitor waiting area. After enjoying a cup of coffee we decide to go for a walk. The next 30 minutes were spent roaming. Photographs of sensitive information left on desktops were taken. We placed a backpack in the lunchroom and exited the building. The backpack was not reported until almost 48 hours later.
The company had recently implemented some cost cutting measures that affected a number of security programs. They had all the necessary policies and procedures in place to prevent such a breach. Unfortunately they did not have the security resources required. In addition, the level of security awareness amongst the employees was extremely low. This most likely was a result of complacency. I think it is extremely important for organizations to complete regular penetration testing. This can be done through a third party or you can use internal resources if they are not recognizable.
The end result should allow you to identify gaps in your security program as well as provide an avenue to create heightened awareness with the entire organization.