Study finds IT security pros cheat on auditsIT security professionals might think of auditing as a pain, but some are actually cheating to get audits passed, according to a study released Wednesday by security vendor Tufin Technologies.
According to the survey of 150 IT security managers and technical staff from enterprises and government departments, 20 percent admitted to cheating on security audits or knowing of a colleague that did. The survey was conducted from April 28 to 30 during InfoSecurity Europe in London.
Ruvi Kitov, CEO of Tufin Technologies, told SCMagazineUS.com Wednesday that with self-audits, security practitioners have to run through a set of checks and fill out a form verifying they accomplished certain tasks. Some, though, erroneously fill out the forms to cut corners, Kitov said. In other cases, IT security professionals might lie to an external auditor, who does not follow up to ensure the answers are valid.
“Quite a large percentage seemed to cut corners,” Kitov said.
He added that lying on an audit, is like, “driving without a seatbelt.” Doing so is a great disservice to the company, which could experience a data breach.
Jonathan Gossels, president and CEO, SystemExperts, a Payment Card Industry (PCI) standard Qualified Security Assessor (QSA), told SCMagazineUS.com in an email Wednesday that he would have thought that the number of those who lie on audits would be even higher than 20 percent.
He said companies are often subjected to an audit when a prospective customer or business partner wants to know the company is safe to do business with.
“It needs a clean audit report, but has neither the time nor budgeted resources to actually address any deficiencies, so they lie,” Gossels said.
Andy Bokor, COO of Trustwave, also a PCI QSA, told SCMagazineUS.com Wednesday that this finding does not surprise him. He said that IT security professionals are often under a lot of pressure to be in compliance, and in many cases, describe their environments in the most advantageous light.
He said it is the external auditor's job to validate that what was said is correct.
“You have to be somewhat suspicious to validate about what they are saying is the case,” Bokor said.
This problem might be driven by dwindling budgets, Kitov said. In the survey, 48 percent of respondents said that cost cuts have impacted their compliance efforts.
The survey also found that in dealing with tighter budgets, IT security pros would consider turning to eBay to purchase IT equipment. Nearly a quarter of respondents said they would buy from eBay if it meant they would save money.
“Since most hardware products are standard-off-the-shelf, I don't see anything inherently wrong with acquiring the commodities at a lower price,” Gossels said. “The only issues are warranties and service contracts. Even then, if the prices are low enough the company can buy lots of spares and have a good procedure for rapidly configuring and swapping out a malfunctioning unit.”
Kitov warned that buyers should be wary of purchasing equipment for which they will not receive support, while sellers must ensure they wipe all the data before getting rid of any products.
Early this month, a hard disk containing the launch procedures for the U.S. military THAAD (Terminal High Altitude Area Defense) ground-to-air missile defense system was bought on eBay as part of an annual research study that began in 2005 to analyze the information remaining on disks offered for sale on the second-hand market.