There are many IT services firms – including some run by friends and colleagues of mine – who perform something called “network assessments”. The outcome of these assessments – which are usually aimed at SMBs – is to determine the overall health of your network and computing environment, supposedly including security.
First, let me be clear that these are legitimate services to see where your network stands. That’s fine and dandy – a useful service indeed. The problem is that these network assessments are being pushed/sold under the guise of security assessments. I was recently on a friend of mine’s website and saw how they can check the security environment of a network. I looked at the Web site of another colleague of mine and his business claims to offer a service that ensures your sensitive data remains protected. In our discussions, neither of these people have ever claimed to be security experts. I don’t believe “in-depth security assessments” are their intent either.
But what about all the other network services firms/consultants out there like them…?
My point is to be careful. Don’t assume that just because a network engineer checks your systems, recommends some software updates or network design changes, and ultimately installs some new security products in your environment that your information is truly secure. A solid and effective information security program is much grander beast.