A security solution is only as good as the people who use it, as the following recent incident proves.

A UK penetration tester followed staff through an unlocked, unsecured door into the building after their smoking break. The tester - who skirted past other employees by saying the IT department had sent him - made his way to a meeting room, where he hooked up his laptop to the company's VoIP network and, doubtless, congratulated himself on a job well done.

Is there a wider lesson to be drawn from this? Yes, and it's not to stop people going outside for a break.

The fact remains that if your management team doesn't know what's going on, you can't enforce adequate security policy. That applies to information security just as much as physical security.

I'm sure the company have a perfectly good door entry system, it just wasn't used on that particular door. Likewise, I bet they have a good firewall and other IT perimeter security, too.

Geoff Webb, security product manager, FutureSoft.