Compromises and Security

What’s the single biggest threat to your security posture? Hackers? Corporate espionage? SSL Vulnerabilities? Zero-day exploits? Maybe insufficient funding for proper risk assessment?

No. The biggest threat to security is post-it notes and random boxes. Seriously. Because these are the tools that your own employees use to make their daily jobs easier. Your own users, with no malice, regularly compromise security every day. Odds are, they train new hires to do the same thing. Why are they undermining your work? To put it simply, they’re undermining your work because you are unintentionally undermining theirs.

Imagine that you’re very worried about security. You put in place a policy requiring Very Strong passwords: 14 character minimum, must contain upper and lower case letters, numbers, and a special character. The passwords have to be changed every 30 days, and no re-use. That’s not a hypothetical: I’ve worked in an environment with just such a policy. What happened? Well, very few people wanted to, or could, readily memorize such a password. And changing passwords so frequently was, putting it mildly, a nuisance. So nearly everyone wrote down their passwords. Some used password vaults on their phones, but most used, well, post-it notes. Which meant that anyone who wandered into the office could find out half the passwords. Weaker passwords which the users could remember might have been more secure!

Why not require the users to work harder to memorize their passwords? Keep the strong passwords, penalize users for the post-it notes, and just force them to be more secure. That certainly might have worked, but it’s forgetting a crucial fact: the users aren’t there to maintain security. They all had jobs to do. To them, the passwords were getting in the way of their real work, and – as people who cared about their work – they would do what they could to circumvent the obstacles in their way.

I saw that same pattern time and again in that environment. The higher-ups kept trying to improve security but each time they did they made it harder for the users to get work done. At one point, I saw a sysadmin taking a picture of his monitor with his phone, and showing the phone to a co-worker, because he had no other way to give the co-worker a screenshot! Others had to take frequent refuge in a nearby coffee shop just to check their email. Or, in other words, one sysadmin had screenshots of a secure computer’s configuration on his unsecured smartphone, and most of the office was reading confidential company email on an open wi-fi network in a public location.

Obviously there are better solutions to these particular cases, but the lesson is still an important one. Security is a good thing, to be sure. But by impinging on business-critical tasks, dedicated workers were effectively encouraged to create gaps in security. And while even more draconian policies could have been put in place, that’s really not the answer. The people who are violating policy are doing so because they’re dedicated workers who want to get their jobs done. When making policy, those people aren’t the opposition. Instead, the goal should be to create policies which are as transparent as possible and impinge on business processes as little as possible.

To do this requires an understanding of the business processes and engagement with the user community. With smaller companies, this means talking with your co-workers. Larger companies may need more involved processes such as usability studies in order to find out how a policy will affect the users. However it is done, this is a question that needs to be asked. Otherwise, expect to find that your users are busily poking holes in your security, and likely being rewarded for it.