If the IT boys and girls play nicely with others, then the structure of the network becomes visible to the auditor fairly quickly. Nevertheless, one must remember those immortal words of Ronald Reagan's speechwriter: "trust, but verify." After verification, it is common to find things that were overlooked. It doesn't matter why they were missed--what matters is that they are found.

The process continues for days until it is believed that every possible network security vulnerability has been found. It may or may not be the auditor's job to make recommendations, but that's another story. In his final report, he will (or should) shock the living daylights out of the corporate bosses.

This service is not cheap, but then, what's the alternative? Having seen a little bit of the process, my immediate reaction is: Why isn't every bank and financial institution hiring someone to do this kind of audit for them--something thorough and complete that will identify the weak links in an IT security chain? It is disturbing to think that institutions that have control over billions of dollars of our money (and pay their top executives a king's ransom) seem to have little interest in a comprehensive security audit.

A book could be written on the excuses people make for ignoring security, and if it were not so serious it would be hysterically funny. While people make noises about the latest virus attack, they pay no attention to any company's prime asset: its data.

As a financial center for the region, Hong Kong needs to be leading everyone else in IT security best practices. Those who are so keen to invest in new companies might want to think about how 'secure' that investment is.