PEBCAK - the social issue

the #1 reason that businesses get hacked

well, that and poor implementation of security and services

We recently had a query from a business manager of a small business doing work for the government. They wanted us to check on some e-mails that had been sent from one end user that he was sure he hadn’t sent.

We went through the usual checklists and asked the manager to please send us the e-mail received so that we could trace it, etc. It took a few attempts, but eventually, the e-mail was sent to us in the correct format and we could inspect it.

Our inspection was hamstrung and we could only conduct our investigation in a limited capacity as the manager refused point-blank to give us any access to the back end to check for any other issues. We did what we can with the information available to us. 

For some reason, this manager was compelled to interrupt us at every possible chance in our investigation and how he had worked as an IT Strategist for large organisations, and how he had vast experience in IT. 

We personally found this all amusing. Here is a person trying to impress his authority upon us, repeatedly telling us how much he knows, and how much experience he has, but has made the call to ask for help.

Not only that, every time we queried the usual, basic security checklist, he reminded us of his vast experience.

We know that some queries are obvious, hence why we always preface our discussions with checklists with the disclaimer saying:

“We know some of these queries may be uncomfortable, may be obvious, and we most certainly don’t mean to be patronizing, but we have to ask to cover the bases. We don’t know how much you know, so we have to assume entry-level knowledge of security.”

As IT security consultants, we don’t care about your insecurities about your abilities. We just want to secure your business and look after you. To protect you.

We just care about getting to the bottom of the issue. Sometimes our queries may appear tactless, but in reality, we’re just objectively looking at all possibilities.

A true security expert is an analyst that has to ask questions, not belittle, not undermine anyone’s authority, but analyse and find the weakest links, the gaps in your system and plug them.

Cyber-security is a lot more than just about systems and procedures. We also have to tackle the #1 reason for hacks or compromised accounts. PEBCAK. Problem Exists Between Chair And Keyboard. The end user. The social aspect.

They are the ones that click the link “to pay the courier for the parcel that they never ordered” and then enter their e-mail account username, password, and credit card information. 

In this case, we asked our queries, determined the user had his account compromised and we wrote a long list of recommendations to the manager on how to fix the issues and plug the gaps. 

All business owners have at some point had the old adage thrown in their faces:

“The customer is always right”.  No, the full adage is “the customer is always right in matters of TASTE” as it refers to the hospitality industry. If the customer was always right, they would not be calling us for our advice, our experience and service.

We queried if certain things had been done to secure the e-mail system and if the domain and other systems had been secured. Ironically, every single one of these things had not been done or there was some issue with the configuration.

They weren’t shy about investing in security. They were paying a premium for all the features of a really top-notch secure e-mail and IT system and weren’t using any of the security features!

Even the most obvious, basic policies and procedures on our security checklist had not been implemented! 

Then, we wonder why these government departments have all been hacked with all these skilled, experienced IT managers looking after them!

IT managers are not technicians. They are not consultants. Their job is to manage people and usually have limited knowledge of systems. Often, we find they don’t even keep up with the trends in the IT industry. this is obviously not for every IT manager, but it has been our experience.

In matters concerning cyber-security, in a modern company, it’s less about “firewalls” and “routers”. It’s all about “Identity Control”. The cloud has mostly negated the need for servers on-site. Now, it’s all about “Access to the Services”.

The weakest link? The end user. Training, education and routine testing are the only way to keep a system secure.

In the end, it was a really positive outcome and we (hope) the client implemented our advice and secured his systems. 

Our difference? We deal with people. We’re consultants. Not just “techies”. We take a personal interest in your Business IT systems.

Concerned about the security of your systems? Need to set up policies and procedures, need to harden your operation, reduce your risk, call the IT Consultants at the IT company near you! IT NEAR U.