Biggest mistakes we find during IT audits

When we go into organizations to perform an IT audit, we often find unexpected and sometimes startling items. Discovering what your organization may be opening itself up to really goes to show why an IT review is so important. 

Below are four common information security risks that organizations often take:

1. Not changing default admin credentials

One of the first things we do at a client is perform a simple scan to find multifunction printer/copier/scanners on the network. Once we identify them, we go to the manufacturer’s website and find the user guide to determine the default administrator ID and password. We then attempt to log on to the device using those credentials. If they were never changed, we now have full access to any item stored on that device. 

We find problems with this all the time, at all kinds of organizations. On one occasion we found a board resolution that the president had scanned in for his own records; this file was now available to anyone on the network to look at it. 

Solution: Ensure that all network-attached devices have custom passwords associated with their administrative accounts.

2. Leaving login credentials in public areas

We also perform a check of desks to make sure that employees have not written down login credentials in publicly accessible areas. At one client, we recently found sticky notes with multiple credentials for critical systems underneath the keyboard of a member of executive management. Anyone walking into that office could have grabbed those credentials and logged in as this individual, who as an executive has significantly more rights on the system than the average user. 

Another memorable instance was when one of our consultants was at a desk, picking up the keyboard and mouse pad, with the employee right over his shoulder. When the employee asked him what he was looking for, our consultant stated he was looking for the sticky note with her password on it, and she cheerfully replied, “Oh, that's in the drawer.”

Solution: Ensure that employees have been appropriately trained to protect their login credentials. Your organization can also look into using a password manager to help ensure employees don’t have to use easy-to-remember passwords or reuse them across accounts just to avoid writing them down on a sticky note.

3. Not maintaining physical security

Sometimes our inspections reveal flaws in physical security or in facility maintenance. 

One time at a large and sophisticated client, while walking down the hall we checked door to the server room, which at the time was protected by a keypad cipher lock. We turned the handle without entering any numbers onto the keypad, and the door opened. 

It turned out the batteries in the lock had died, and the lock had been set to “fail safe” rather than “fail secure” (meaning if power is lost, the priority is human safety rather than security). The employees had not noticed, as they were typing in the code anyway out of habit. The CIO went white as a ghost when we showed him, and the next day there were electricians from his alarm company installing a new card swipe lock on that door. 

Solution: Ensure that physical security and safety issues are reviewed on a regular basis.

4. Not implementing security training and mobile device management

The most surprising instance we can think of is when we found that an executive of a bank who was responsible for approving wires was doing so from their personal Gmail account. This meant that private information was traversing the public internet — obviously a huge information security risk. The stated reason for this was so that the executive could approve wires even when they were out of the office. 

Solution: Provide continuous information security training for all employees, and implement dedicated mobile device management software, which allows employees to access to work emails when outside of the office.

Security best practices

Sometimes we are surprised in good ways. 

One client asked to talk about their ransomware protection program and explained to us that any account on the network with administrative access did not have internet access. This would render almost any malware attack useless, as the account that had the rights to compromise the network would not have the ability to “phone home” or respond to the attacker. We have recommended this same solution to many of our clients. 

In another case, we had a bank client that used a public workstation in their lobby to allow customers to log on to the internet banking system. These public machines need to be secured to an incredibly high standard to ensure that credentials are not being compromised. This client used a stripped-down version of Linux that could easily be rebuilt and would not be susceptible to Windows-based malware. The IT director at this organization went so far as to set up the Linux operating system to fully reboot itself every time a customer logged off the internet banking system. This guaranteed that no malicious software could be installed, and that anything done by the last customer would be deleted before the next customer logged on. This is an excellent solution to the problem — and one we have recommended to other clients.

Reduce information security risks in your organization

While the above is just a small selection of surprises we’ve found in our IT audits, we want to highlight that in almost every case, these exceptions were there for years, exposing the organizations to risk, until they were found during an IT audit. 

What surprises will you find at your organization? Click here to learn more about how Wipfli can help you with an IT audit.

Sign up to receive additional information security and cybersecurity content in your inbox, or continue reading on:

Multifactor authentication: Why you need it now

Why information security policies and procedures are so important

Worried about cyber threats? Here are 3 ways MDR can help prevent data breaches