“The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won’t suffice. Even with oversight the policies the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun, depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully”
“As we have come to realize, the idea that security starts and ends with the purchase of a prepackaged firewall is simply misguided.”
“Employees make decisions everyday that negatively affects their business’s security…As a result, we have know for a while that, to protect organizations employees need online street smarts. However, the problem is that some in the industry treat employee awareness as a training concern or a one-time activity. It is not. It is an ongoing cultural problem.”
” If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.”
“Hackers find more success with organizations where employees are under appreciated, over worked, and under paid. Why would anyone in an organization like that care enough to think twice before clicking on a phishing email’?
“If security where all that mattered, computers would never be turned on, let alone hooked into a network with literally millions of potential intruders”
“Information is a significant component of most organizations’ competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to day business processing. Some of the most obvious results of IS failures include reputational damage, placing the organization at a competitive disadvantage, and contractual noncompliance. These impacts should not be underestimated.”
-Institute of Internal Auditors