If someone walked into your building right now and said they were there to fix something, how long before anyone questioned them?
Take a moment with that. Don’t answer it the way you want the answer to be. Answer it the way it actually is.
I’ve spent 23 years asking that question. Then walking in to prove the answer. My team has talked its way into server rooms, executive offices, and financial archives at some of the most tightly regulated organizations in the country. Not by beating technology. By being helpful, confident, and convenient to let in.
In all that time, not one of my clients has experienced a breach.
Until four hours after my priest told me not to turn on the alarm.
The day I became the client
I sit on the board of our parish. This week, our church moved into a new building. Before everyone left after Easter rehearsal, I asked about the alarm. The construction crew didn’t want to deal with a code every time they came and went. Too inconvenient. One more thing to remember. One more step between them and getting their work done.
I asked our priest three times. Are you sure?
Three times he said yes.
I’ve been in enough boardrooms to know when I’m outvoted. So against my better judgment, I walked out without arming the alarm.
I knew what I knew. It didn’t matter.
Four hours later, the building was hit. Four minutes is all it took. And the construction crew, the same people who couldn’t be bothered with the inconvenience of a code, had their tools stolen.
The lesson didn’t land the way I thought it would. Life moved on for everyone involved. I’m the one still sitting with it.
That told me something important. Not about security. About human nature.
Convenience is our default setting
What happened at that church wasn’t a security failure. It was a human failure. I see the same failure in companies every week.
Our default setting as human beings is to choose the path that requires the least processing. Not because we’re careless. Not because we don’t care about risk. Because the brain is wired to conserve energy. Security is friction by design, and friction is the enemy of our default setting. So when those two things meet, convenience wins almost every time, and we don’t even notice.
Think of it like a screen door in a Texas summer. It keeps the bugs out fine, right up until someone decides it’s too much trouble to make sure it latches. One decision, made unconsciously, and now everything gets in.
That’s how most breaches start. Not with sophisticated attackers. Not with zero-day exploits. Ordinary people make ordinary trade-offs, choosing convenience over the friction that security requires. The Verizon Data Breach Investigations Report has tracked this across tens of thousands of confirmed breaches. The human element shows up in roughly 68% of them. Not hackers breaking through walls. People are leaving doors open, literally and figuratively.
Without physical security, you cannot have data security
Here is what 23 years of physical and cyber assessments have taught me that most organizations never want to hear.
Without physical security, you cannot have data security.
It doesn’t matter what technology you’ve implemented. It doesn’t matter what your cyber program looks like on paper. If someone can walk through your door, the conversation about digital controls is already over.
We’ve proven this hundreds of times in our own assessments.
At a mortgage company in Arizona, my team walked past the receptionist, tailgated into the corporate offices, found the server room, and created accounts that allowed us to manage our testing remotely. We were in the building for nearly three hours. We introduced ourselves to the staff as new employees. People gave us tours. No one questioned us once. We went out to the smoking area with employees and walked back in through a door with no cameras, no guard, and unlocked all day.
At a community college campus, a team member walked into an open classroom, plugged in a bootable USB drive, and ran a full internal network scan using the classroom computer.
At a grocery chain corporate office, windows to the executive offices were left open at night.
In every case, the organization had cybersecurity tools in place. None of it mattered once someone was inside.
Physical access and cyber access are not separate conversations. They are the same conversation about who gets in, under what conditions, and who is accountable when something disappears.
“I don’t have anything anyone would want.”
Most mid-market and lower mid-market businesses carry a dangerous assumption into this conversation. I don’t have anything anyone would want. No customer data worth stealing. No reason to be a target.
That’s the business equivalent of leaving a screen door unlatched and assuming nobody will bother because your house isn’t the nicest on the block. Attackers don’t go where the brand is biggest. They go where the door is easiest.
Small businesses are targeted nearly four times as often as large organizations. 60% of those who suffer a cyberattack close within six months. That’s not a recovery story. That’s a fatality rate.
And increasingly, these businesses are heading toward exits, sales, recapitalizations, PE transactions, without having addressed the convenience trade-offs they’ve been making for years. When a buyer’s diligence team arrives and starts asking questions, those trade-offs become leverage. And leverage in a deal room always belongs to the buyer.
The alarm you’ve already turned off
Most businesses already know, somewhere in the back of their minds, where their own alarm is turned off. The vendor has too much access. The system that never got patched because it would have required downtime. The policy looks good on paper, but doesn’t match how the business actually operates. The door stays unlocked because locking it creates friction.
The question isn’t whether those trade-offs exist. They do, in every organization I’ve ever assessed, including yours.
The question is whether you know where they are before someone else finds them first.
The CEO who said all the right things
I was introduced to a CEO during a ransomware event that kept his company down for 32 days. Two hundred employees. Operations across the US, Canada, and Asia. The source of the attack was his outsourced IT provider, which had been compromised and became the entry point into his business.
When the dust settled, he told me two things.
First, no one had ever told him how critical cyber risk was to his business.
Second, he no longer trusted his IT team or his MSP.
He said he was ready to tackle security the right way. He meant it in that moment. I believe that completely.
He never did.
Life moved on. The pain faded. The default setting came back.
That’s not a character flaw. That’s the same thing that happened at my church. The same thing happens in boardrooms every week when a security control gets bypassed because it creates friction for someone with authority.
Reasonable people, making reasonable decisions, in the moment.
Until the moment costs them everything.
My priest is a good man. That CEO is a good leader. The construction crew was just trying to get their work done.
None of that made the tools come back.
Cyber risk is not about what you think or feel. It is about what you can prove. And convenience, our most human instinct, is the single greatest threat to your ability to prove anything.
The alarm is already turned off somewhere in your organization.
The only question is whether you find it first.
Mike Fitzpatrick, Founder and CEO, NCX Group, Distinguished Fellow, Ponemon Institute
P.S. In 23 years, my team has never delivered a clean assessment. Not once. There is always something. The difference between the companies that survive and the ones that don’t is whether the risk exists. It’s whether someone cared enough to find it before it found them. If you want to have that conversation, we’re here.
Repost from LinkedIn – https://www.linkedin.com/pulse/you-already-turned-off-alarm-just-dont-know-yet-mike-fitzpatrick-gjh3c/
