What do we do when the biggest risk to a business are those who are meant to be securing it?
This is an expansion on a LinkedIn post from last week. From a criminal perspective of you can manipulate the security of a facility then your job becomes much easier. In so many cases we make this so much easier for them.
How many security teams are trained in basic personal security procedures? How many are a risk to their business because of poor security themselves. In the past 3 or 4 weeks I have :
1. Seen a night patrol driver post a photo in his car before heading to work tagging his home address in the post.
2. Heard a security person talk his colleagues through how to work a particular security system over the phone (including spelling out the user name and password) while on his lunch break.
3. Received an email from a person working in security which was filled with malware.
4. Witnessed a security operative hand out a visitors pass to a contractor and give him directions to the room he needed because she was too busy to accompany him.
All of these in different sites and different companies. Are these individual errors or is there a systematic failure to train security staff for these types of incident? Is there an assumption that security contractors will know this stuff?
I originally posted this rant on LinkedIn and some of the feedback seemed to focus on a lack of general security standards within contractors. Others pointed towards a lack of training for security staff in these areas and a number stated that it was down to pure complacency and laziness. I think it may be a combination of all of the above. Some of it is training certainly but training isn’t all of it. You can give people all of the knowledge in the world but if there isn’t a culture of security throughout the company and that culture isn’t embedded into everything the security contractor does and is measured by then the training is pointless. When that’s done correctly then the training can be effective and the complacency is then less of an issue.
The reality is that type of security culture requires time and money investment and contracting a security company with that culture embedded won’t come cheap. If a client purchases security based on the cheapest option then they get the cheapest service. The client values the security lowly, the provider values their staff lowly as a consequence and the security staff value the client lowly. The viscous circle continues and leads to inevitable security lapses.
Lack of awareness
There is also a fundamental lack of awareness of basic information security within the industry. I don’t know of a single entry level security programme that covers the fundamentals of information security. I’m also pretty sure that there isn’t the expertise within many security companies to train their staff on these type of issues before deployment because they don’t understand it themselves.
The reliance is on the client to provide effective policies and standards and the contractor to follow them. Many clients policies that I’ve seen however won’t go into such detail as don’t talk passwords over the phone as there is an assumption that everybody would be aware of it. Assumption is a dangerous word and leads to many security breaches. People assume they can’t be heard, assume the contractor will be honest and assume their computer is safe. Assumptions can be catastrophic though and any one of the lapses above could end up with the security team becoming a critical security risk.
Let’s consider how badly each situation could have ended.
1. Patrol driver : Posts a picture of himself showing his company uniform and tagged his home address as his location and the time he leaves for work.It’s posted in a security group on social media with over 2,000 members. Not only does he put himself in danger of being followed and his route and clients compromised but he puts his family in danger as well. If a criminal gang want access to one of his clients buildings they show up to his home and grab his family and get him to open up the building and bypass alarms.
2. Security guard on lunch break. I can see his uniform, his ID badge and now I know his username and password for the access control system. Firstly I could contact the client directly with this info and cost him and his employer the contract if I was a rival contractor. I could post the info online and sell it. I could use the info with some social engineering to call the security office and get them to grant me remote access to the system. Then I own the system.
3. Email with ransomware: The security person had received a great offer to a very well priced security product from a ‘supplier’ to his email as he was ‘a valued and respected member of the industry’. He opened the PDF and clicked through some products which worked and others which ‘didnt’. Then helpfully sent onto me as he thought I might be interested. I scanned it and it was filled with malware. I told him to bring his laptop to a repair shop and tell anybody else he had forwarded it to. He had sent it to some colleagues but wasn’t sure if they had opened it on their own or work PC’s. He could have potentially exposed the whole work network to malware and cost a lot of money and reputational damage to his employer.
4. Contractor on the loose: This should be obvious. No matter how well you know a contractor you don’t know them. More importantly they don’t know security. They may not be malicious but they could inadvertently do something to compromise security. For example take photos of themselves which reveal information from inside the building. Enter the wrong door or office and cause a security incident. Enter rooms where sensitive information or products are managed. The list goes on. If they are malicious they have free rein to do untold damage to the client, their reputation and their trust in the security contractor.
I didn’t write this article to hammer the security people in question. I wrote it raise awareness. Client security starts with personal security and personal security starts with awareness. If employers don’t make staff aware and continually audit and reinforce this awareness then it falters. Security is one of those industries where small mistakes have large impacts. A single error can cost a job, a contract or even a life. We are supposed to be the experts in this area. When the security team become the security flaw the whole industry suffers.