If someone told you household oil cures arthritis, or that butter heals burns, or installing anti-virus is all you need to be secure on your network, would you believe them?
I recently had a shocking conversation with an IT professional working as the sole IT professional at a company in the US. I encouraged him to apply patches to his network and his response was, “I do not need to patch the operating system or applications—I have anti-virus and that protects the network from all security risks.”
At first, I thought he was joking with me. He wasn’t! I asked, “What if a user writes the password on a sticky note and the cleaning crew logs in as them to access secure files—does anti-virus prevent that?” The IT pro said yes he was protected. Several of his “IT advisors” told him anti-virus was all he needed.
I attempted to get through to him for almost 10 minutes with other examples, sent him links to articles on news sites showing reality, and he kept going back to “his trusted advisors told him not to worry about it.” I asked who the “trusted advisors” were and he didn’t want to divulge their identities but assured me “they are really smart.” I even offered to have a conference call with the IT professional and his advisors, but he felt that wasn’t necessary.
This poor IT professional totally believes his reality. He probably will until something bad happens—and at what expense?
I experience this to varying degrees fairly often with “IT professionals,” and frankly I find it unsettling because executives trust their IT professionals with the safety of their business. Executives need to trust their IT professionals.
Executives please make sure your IT department’s advisors are trustworthy as well!