I believe there is a “denial syndrome” that exists in cyber security. I’m not referring to the “It won’t happen to me” concept, I’m pointing to a deeper and more dangerous belief. In psychology, denial happens when we are uncomfortable with the facts of reality and instead of dealing with it we reject it, insisting it is not correct.
On every Windows machine, you will find there is a local administrator user, usually descriptively named “Administrator.” This user exists by default. It is there because the machine requires at least one administrator when it is first installed. For the most part, machines in an organization are managed by the domain administrator (once the machine is added to the domain, the domain administrator is also an administrator for that machine), and the local administrator is used in times of “crisis” - when there’s no network access, but physical access is available.
The other day I was speaking to a good friend of mine. He’s an executive consultant working for a large Fortune 1000 organization. As we are talking I realize that he has access to a lot of highly sensitive information that if exposed could be rather damaging to the company. He was lamenting to me how he needed to get access to some data on one of the servers but IT blocked him from accessing it until he completed a mandatory online “IT Security Awareness” training.