You would like to think auditors would be doing things securely. Even though the auditors sent on site are often fresh out of college, you’d like to believe that the company they represent has been around long enough to be versed in security practices. Unfortunately that often isn’t the case. How many times when they have asked for information have I wondered if this is part of the audit. “Am I dumb enough to mail the auditor unencrypted information about my internal network to their external account.”
In a recent case cited by Sophos as reported by the Birmingham News it is worse than that. Ernst & Young auditors lost a USB fob. Fortunately the information was encrypted. Unfortunately the password was with the fob. Obviously that defeats the purpose. Some people are just destined to be examples for others.