There’s a gaping hole in every IT security strategy, and all the firewalls, software and pricey gadgetry in the world won’t fix it.

The hole, of course, is you.

Stephen Lineberry, an information systems audit manager with KraftCPAs, calls it the “human element” — good-intentioned employees who mistakenly leak sensitive information or otherwise compromise a company’s intelligence. With more companies focusing — rightly — on providing stellar customer service, Lineberry says the door is being left open to “social engineering” attacks, in which scam artists “pounce on that customer-focused mandate” by manipulating and deceiving employees into disclosing proprietary information.

Solutions exist, though, and Lineberry outlines some of them in this Journal of Accountancy article. He says managers should start by asking themselves these questions:

1. “Are employees educated and aware of common information security threats?”
2. “Do they write down or freely share passwords with others?”
3. “Do visitors freely move about facilities without facing barriers to entry, such as a requirement to wear a company-issued badge?”
4. “Is it common to see sensitive information, such as completed employment applications or client documents containing Social Security numbers, accessible in unmonitored or otherwise unsecured areas?”
5. “What is the prevailing employee attitude regarding information security controls? Are enforced information controls viewed primarily as a nuisance?”

If the answers are “yes,” it’s time to take action. A good rule of thumb is to memorize this nugget from Lineberry’s article: “No system is immune to human ingenuity.”

How secure is your “human element?”