Do you pentest your infrastructure? YES. Have you tested your people? Mmmh!

Most organisation have either regulatory / industry requirement to do penetration testing on annual basis or when significant change happen to their environment. Whilst this is consider a good practise, the coverage of the test usual include the technology infrastructure both externally and internally. The question remaining how many organisation test their own people?

In today world of beefy technological security solutions, penetrating the external perimeter (for traditional model) is very hard comparing to the previous years. This also apply the same to the cloud services. As the results, the attackers, have focused their attacks on people, who as you may know present the weakest link in the security chain such attacks including spear phishing etc.

Business understand this but regardless they have not invest in protecting people with security controls such as security awareness training , and targeted security training per job role e.g. CEO specific training, Bank Teller specific trainings. Failure to do so open doors for attackers.

So next time you do penetration test, ensure you include the people testing, and this can be social engineering test by specialised organisations. while these tests can be done once a year, the organisations are encourage to have internal tests done at least quarterly to keep human at very defensive mindset to understand that security attacks can happen anytime and they are the one targeted the most.

Author: kinyoka

A certified Information Security professional, with demonstrated experience spanned more than 10 years in financial, banking, consulting, and payment card industries in managing Information Security System Management ISMS. A post graduate degree holder in Information Security Management (M.Sc); Certified Information Security Manager (CISM), Payment Card Industry Qualified Security Assessor (PCI QSA), SABSA Chartered Security Architect (SCF), ISO 27001 Lead Auditor, CREST Registered Technical Security Architect (TSA), CREST Registered Penetration Tester (CRT), and a member of ISACA. Demonstrated to be reliable, trustworthy, and meticulous person; working in a controls-focused environment, multinational, and multicultural organisation over the years and gained a good understanding of what is required of the Information Security professional. . Specialties: ISMS based on ISO/IEC 27001/2 Payment Card Industry (PCI) DSS - QSA led services - PCI Scoping, Gap Analysis and Formal Assessment (RoC) IT Governance, Risk and Compliance (GRC) Management Cyber Security Penetration Testing Enterprise Security Architecture Technical Security Architecture

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: