Protect your systems - Fire all of your Staff

October 31, 2014

Anybody familiar with Cardiopulmonary Resuscitation (CPR) will understand that CPR should be continued until signs of life return, qualified help arrives or it is physically impossible for the rescuer/first-aider to continue, for example due to exhaustion (Australian Resuscitation Council, Guideline 7).

This last part, in theory means that a rescuer could potentially be performing CPR on a victim for hours, while they turned cold. Much of the reason for this instruction, is not about the victim's health at all, but the rescuer's. If a person couldn't continue CPR because they were absolutely exhausted, it is quite fair to say, there was nothing more they could have done. And they would believe that. If however, they stopped after a shorter timeframe, there's a good chance they would spend the rest of their life wondering "what would have happened if only I'd gone another five minutes". The key to a clear conscience, so the argument goes, is to do everything within your power based on available resources.

In business, there will always be limitations on available resources. For the corporate security manager, these limitations are often one of the biggest frustrations. However, the professional will always manage around it, through a combination of effective risk-management and/or the well known Serenity Prayer - Lord, grant me the serenity to accept the things I cannot change, Courage to change the things I can and wisdom to know the difference - whichever is more appropriate!

A significant problem however, is where responsibility for the security for an organisation is charged to an individual, such as the Security Manager, Security Officer or a small team, such as the IT Department - very common in the case of information or IT security. This scenario frequently allows management to be confident that security has been taken care of. However, this confidence is often misplaced. The above parties simply cannot be everywhere and on top of everything. Ultimately, some responsibility for the security of an organisation's assets must come down to individual staff. That is: The security of any organisation is the personal responsibility of every single employee.

We have been contracted by many organisations to evaluate their security, and found that upwards of $20-250,000 worth of physical access controls can be rendered instantly useless by tailgating a single employee, too polite to close the door in our face, into the secure area. Similarly, multi-million dollar IT Security systems and configurations are rendered useless by an employee who forgets to lock their workstation or doesn't protect their password.

A perfect example of this, was a major organisation who asked us review the security of their systems. As is typical for 'security assessment' type assignments, nobody in the organisation, besides a small group of managers, knew who we were or what we were doing. In other words, we should have been treated like any other unrecognised visitor (or intruder). We decided to speak to a few of the staff.

Calamity: "Hello, I'm conducting an audit of the security of IT Systems. Can I talk to you for a couple of minutes? Won't take long."

Employee: "Sure."

Calamity: "Management want to know that everybody in the organisation is complying with the password requirements for systems. You know, how long they are, that they are not people's names, that sort of thing."

Employee: "Well I think I'm doing the right thing. It [the computer] makes me change password every few weeks".

Calamity: "Well let's see. What's your password?" [picking up clipboard and pen]...

You can probably guess how the 'interview' ended. Quite a few more staff fell for the same trick too, giving us their passwords. One employee however, was very polite and asked instead if she could call her management first and get their permission. Instead, she received a bunch of flowers the next day for being diligent and has since gone on to become an "IT Security Champion" in the business (thirty bucks at the florist well spent!).

Importantly, the others were not made to feel silly - this was not their error but an organisational weakness - and were fully debriefed on what happened to find out where the organisation's security implementation went wrong. Essentially, staff had all taken for granted, that since those guys in the suits' were inside the office, they must have been admitted by reception. It did not occur to them that people could also sneak into offices. Incidentally, as part of the exercise, we also took a few laptops which were unsecured, compromising all of the corporate information stored on them (in addition to the replacement cost of the laptop). It was also possible to borrow an ID card from a well meaning staff member, under the pretence we needed it "to get back from the bathroom" and then use it to access other areas (now wearing a corporate ID badge to further avoid suspicion).

As a result of this exercise, management realised that while their security policies, technology and implementation were sound, they hadn't invested sufficiently in training of staff to 'close the gap'. Like many companies, they had the usual posters on the wall advising staff to "never share passwords" and to "close the door". Clearly these hadn't had the desired effect. However, a half-hour presentation to the staff, by Calamity, replaying hidden-video of the various incidents and discussing common tactics used by criminals did.

The company had been re-issuing up to 40 lost or stolen photo-ID and proximity cards per week. After the exercise, when staff learned to protect company assets, this was reduced to 2.

Significant laptop theft was almost totally eliminated and all staff became aware of tailgating and the need to challenge strangers. So much so, that the following week when we returned to the building to debrief management, we couldn't get in - nobody wanted to be the one to let 'that security guy' into the building. Since then, the information posters have also served to reinforce the message, rather than being one more advisory notice to which nobody pays attention.

The observation reached by management was flattering - "a couple of hours and [our modest fee] did more for the company's security than tens of thousands of dollars worth of hardware". However we prefer to think the two are complementary. What is crucial however, is to recognise the concept that the security of any environment is only as strong as the security's weakest link and to implement controls which address this.

In the interim, this may help:

"Lord, grant me the authority to accept the risks I cannot change, The resources to change the things I cannot accept, And the wisdom to hide the bodies of those staff I had to kill today because they forgot to close the secure door."

Have a question?
We'll answer your enquiry within 24 hours.