messy-deskCybersecurity is all about the holistic approach to securing your information and environment from external attackers. Corporations, businesses and non-profits’s security posture is only as strong as their weakest link. Part of that holistic approach includes testing.

Tests and assessments are done to ensure that the security posture of the Organization is resilient to withstand the real attacks when the time comes.

Failing a test, whether it be one that Net Force performs, or whether it is internal, is not about politics, or embarrassing an individual or the Organization.

Example:

During a recent penetration test and security assessment of an Organization, we  noticed a number of sticky notes and pieces of papers attached to keyboards, monitors and under keyboards. After examining several desks, we realized there were a number of usernames and passwords used as part of daily business operations. What blew our minds was this Organization did have a clean desk policy. The policy of clean desks was not enforced even at the highest levels of the Organization!

Why did clean desks matter? The usernames and passwords we found gave anyone access to the normal computing environment, as well as unfettered access to databases with their Client’s social security numbers, names, data of birth, addresses, and driver’s license. Any stranger had complete, unrestricted access to complete identities! Talk about an identity thief’s version of heaven!

Policies (including Clean Desks) are important, but the lack of regular testing  and enforcement illustrates how Policies meant to protect the Organization were merely empty, hollow words.

The (Potential) Cost:

The idea of clean desks is so simple. And yet, when abused by disgruntled employee or criminal, the Organization would have been on the hook for thousands, if not millions of dollars in notifying their Clients that they are potential victims of identity theft. This does not include the Organization paying for their Clients’ credit checks or litigation related to identity theft incident itself!