The sun sank, casting a spooky shadow on the jack-o’-lanterns lining the office park. A chilly breeze cut through the parking lot as IT security expert Mike Semel paused for effect, put a flashlight under his chin and finished his blood-curdling story. A high-profile credit monitoring company suffered a catastrophic breach and opened millions of people to the nightmare of credit fraud.
“Supposedly, the data breach came through a known vulnerability in the software,” Semel said in a low voice. “The company knew about it for months but never applied the fix.”
Then came the torture of the blame game: the software vendor pointed fingers at the credit monitoring company, whose former president put the responsibility on the employee in charge of patching.
The Calls Are Coming from Inside the House!
A longtime security expert certified in compliance, disaster recovery, Health Insurance Portability and Accountability Act (HIPAA) and healthcare IT, Semel sees security vulnerabilities in a lot of industries.
He’s watched ghosts of former employees haunt the hallways with unauthorized access, their passwords set to never expire and pages of private information left out for anyone to see. Semel’s also seen terrifying mistakes people make, like a managed services provider (MSP) who accidentally published a server to the internet, exposing thousands of patient records. Patients were searching themselves online and scared stiff to find their private medical data available to the world.
“MSPs are the quintessential cobbler’s children with no shoes,” Semel said, who is president and chief security officer for Semel Consulting and an active member of CompTIA’s IT Security Community.
IT pros need to secure their own systems before working on others’ and be wary of the danger that lurks where there are no firewalls and software linked to default passwords. You can learn more and even get certified in cybersecurity with CompTIA Cybersecurity Analyst (CySA+) and CompTIA Security+. Learn best practices, ways to apply behavioral analytics and methods to improve IT security overall and earn certifications to help you get jobs and promotions based on your security knowledge.
Marge Left the Company 10 Years Ago … On This Very Night!
Semel walked in the front door to discover an agonizing issue that keeps him up at night: no receptionist at the desk, just a sugar skull next to a bucket of candy. The same client had sent over the company’s security policy, which guaranteed the office door was always locked.
“Everybody’s worried about liability, but open doors are things people think are so basic and nobody cares about them,” Semel said. In an auditor’s mind, it’s a sign of weakness and a reason to dig in further.
“If I come into your office and the door’s open, after I see you have a policy requiring it to be locked, I’m going to move in for the next six months,” Semel said, walking down the hallway to find someone to talk to. “If you can’t handle the easy stuff, I can’t assume you’re doing the more difficult stuff.”
Help! Can Anybody Hear Me?
Down the hall, Semel found his contact and heard the issue of the day. The IT team had done hundreds of patches on their servers but weren’t seeing the updates come through. Semel asked when they last restarted the server and looked like he’d seen a ghost when he heard the answer.
“They weren’t restarting the server! We looked back in the records and nothing had been patched in more than a year,” Semel said, shaking his head at the paralyzing mistake he witnessed. “You have to restart for the patches to take.”
He spent time convincing team members that even though their 24/7 operation needed round-the-clock servers, it was better to restart them as planned rather than wait for a disaster to hit. It’s alarming when clients won’t listen to IT security advice, Semel said. Thankfully, people certified in IT security are trained to take on the ghoulish reality of an administrator who doesn’t check the work. Starting with something as simple as a locked front door and requiring people to sign in sends a different message. Best practices in IT security show people you’re doing the job right.
Certifications teach IT security pros the power of checklists, for example, which can eliminate tons of mistakes.
“It’s like the doctor making sure he has the right arm before he sticks the knife in,” Semel said. “Checklists are not just for people who don’t know what they’re doing. They are used by pilots and surgeons, and if it’s good enough for them, it can work for us.”
IT Security: A Powerful Craft
CompTIA’s research shows an unnerving disconnect: companies are doing the best they can under budget and resource constraints, but they’re hyper-aware of the cobwebs in the closets.
When surveyed, 85 percent characterize their current security as “mostly satisfactory” or “completely satisfactory,” but when asked about the need to improve various aspects of security, many companies say they need moderate and even significant improvement.
Here’s where they’re most often in need a security upgrade, according to the research:
- Network security: 81 percent
- Compliance: 74 percent
- Application and data security: 73 percent
Don’t think you can insure yourself out of needing real IT security, and if you’re providing those services to others, remember you’re in the line of fire when clients suffer financial loss, blame or burden from a breach.
“The technology seldom really fails from a security standpoint. It’s just not applied properly,” Semel said. “The minute a client gets sued, they’re coming after you.”
Protect yourself from hacks, hexes and security spells by earning CompTIA Security+, CySA+ or CompTIA Advanced Security Practitioner (CASP). In the meantime, add your real-life IT security nightmare in the comments.
Michelle Lange is a writer and designer living in Chicago.