By Dr. Elliott S. Lynn
Faculty Member, School of STEM at American Public University
Many things impair an organization’s ability to secure data assets, including such common threats as viruses, malware, disgruntled employees, and your basic criminal. Many cybersecurity attacks are associated with hacker-related penetrations, such as the Target hack that resulted in the compromised consumer data and/or identity theft of thousands. Organizations overlook the most basic but significant threats because they are disguised in the basic norms of society. Common courtesy, trust, familiarity, and good manners have no room in 21st-century organizations with a dependency on information technology.
The mannerisms learned and embedded in U.S. cultures from childhood include:
- Holding the door for others when entering or exiting a room.
- Being friendly in order to make new friends.
- Giving people the benefit of the doubt.
- Telling an adult/authority figure only when something is really important; otherwise, it is really just tattling.
Can you spot the potential security breach in each mannerism?
Is there any room for a cybersecurity attack in a society that embeds these pleasant behaviors in the minds of children through adulthood? Organizations spend millions of dollars every year on access cards, technology- enabled door locks, and other basic access control methods which are bypassed, based on being taught that it is impolite to close the door on someone approaching. This common problem is referred to as “piggybacking,” yet many admit to being uncomfortable closing the door on a stranger that is approaching a door despite a clear “no piggybacking” policy.
In a small study of 100 employees with card key access in a “no piggybacking” organization, more than 60% admitted they would not be comfortable closing the door on an approaching stranger that looked familiar. In the same study, over 90% of surveyed employees admitted to holding a door for a friend or colleague they recognized and would continue to do so despite a “no piggy backing” policy. Upon further investigation, this large organization had no method of notifying all employees (even at a department level) of the termination or other involuntary removal of an employee. The organization’s primary reliance on a possible data breach from an employee is lockout of the user’s account and removal of card key access.
[Related: Cybersecurity Workforce Education]
Nevertheless, if there are any generic accounts (common but not the most effective practice for shared access) the employee may still have access to use these, but the employee could still gain access by getting access to a computer within the organization. The terminated employee has at least a 70% chance of success of gaining access to the building from someone to whom he or she may look familiar, and greater than 90% from someone considered a friend who may not be aware of the termination. Being polite is a large generalization, but holding the door is a by-product of being polite.
Are there other elements of polite that may have an impact?
Allowing someone to log on to your machine because theirs is not working may appear as polite, despite the many issues that can result from allowing a user to log into a different machine. This does not take into account the use of roaming profiles allowing the use of various machines, but cases in which someone logs onto a machine they are unauthorized to use.
Employees may be reluctant to share use of their computers, but this same reluctance is less likely with an unsecured phone line. Some may consider it very rude to deny a request to use a phone to save them time over doing so from their desk, even more so to ask why or whom they may be calling. A simple call can be placed to tell the type of server, modems, firewall equipment, and other devices that are deployed in the hope that an administrator kept the defaults or perhaps did not patch a vulnerability. Being polite can prove as detrimental as being friendly.
Making new friends and creating a pleasant work environment can put your organization at risk. Can Information Technology (IT) security professionals have friends and/or do they take advantage of the pleasant work dynamics of an organization? Not without the risk of allowing personal bias to interfere with keeping the environment secure. Fraternization of employees with administrator access should not be taken lightly. Friendships forged with employees can make directives difficult and increase the likelihood of compromising confidential discussions.
Employees are people, and behaviors learned from childhood help shape the kind of adults they become. This does not mean that unmannered people are less of a security risk, but it does make a strong argument for further research on how learned human behaviors are influencing IT-related security breaches. Learned behaviors and manners that compromise the security of an organization remain one of the biggest threats organizations face today. Proper training and an environment that encourages and reinforces actions contradictory to general society mores can help mitigate significant risks.
About the Author: Dr. Elliott Lynn is regarded as a knowledgeable subject matter expert in information technology security and architecture with 20 years of leadership experience dedicated to developing Business-Minded IT professionals capable of aligning strategic goals with secure IT solutions. Current certifications include MCSE, MCSA, MCT, CTT, and the DAWIA Level III Defense Acquisition Certification, the highest level recognized by the DoD Acquisition Workforce.