Friday, May 29, 2009

Protecting your own organization's data = the emperor has no clothes

It's interesting that the White House is advocating new measures to tighten the nations digital security

Fact is most of information in corporate America most often walks in and out the door. I did an audit one time of my organization that was very revealing. I challenged a PI firm to attempt to penetrate our premises and to gain as much strategic information as possible. They walked right in, spent a lot of time "mingling" and hanging out in a allegedly very security-conscious workplace environment at P&G. They took, photographed whatever they wanted. They fielded market research. They asked directions, created their own ID cards, attended meetings and presentations. They listened in on conversations of employees on-site and off (public locations like restaurants). Now given the ease of access to the physical premises, they invited in a world-class hacker to sit in a conference room and ping the system. Our best-in-class outsourced IT security service took 20 hours to figure this out. After a couple of hours he was close to getting through the fire wall. Finally I took the video footage from this exercise and played it back with voice over commentary to the entire organization. Shook them up a bit for a short while. Probably timely to do it again.

No comments:

Post a Comment