On the one hand, everyone wants to stay safe, and on the other, they want to be able to do their jobs without onerous measures getting in their way.
“On a recent early morning commute on public transport, I was struck by the number of people who were standing about with the work ID badges on full view”
We have seen the gradual creep of measures such as two factor authentication and biometrics into business use and they have generally been a good thing. Along with awareness training, they seem to have raised the game in terms of making sure that information and systems are only accessed by those with the need and the rights to do so.
However, amid all of this there seem to be critical areas of security and data protection that on which people consistently fail.
On a recent early morning commute on public transport, I was struck by the number of people who were standing about with the work ID badges on full view.
These ranged from a materials analyst to a clerical worker, two solicitors and a senior administrator in a pharmaceuticals company.
Not only that, but more than one of these individuals was accessing work systems on smart devices as they went. One was reading their email and the other was reviewing some documentation in relation to a procedural change for an ISO compliance project.
One may wonder at this point, how did I know all of that. Well, I just looked. Without being obtrusive, or even trying very hard, I could see not only the screens but the gist of the information on them too.
A very cursory search on getting into work myself, and I had the personal contact details and potted work histories of the two screen readers. I could have emailed either to tell them not to be so indiscrete with confidential materials in a public place.
And this is the issue.
Despite being made aware at every turn that hackers are trying to phish your details, trick you into clicking on dangerous links, or entrap you into deploying malware, ordinary workers appear to be entirely unaware of the danger of information and identity theft through these other means. I could easily have photographed over the shoulder of the sitting screen reader and captured the contents, which, along with their badge information, would likely have been enough to craft a targeted social engineering attack to compromise them.
Even without the screen information, one could easily have stolen the details for a badge, looked a person up on LinkedIn, Facebook, Pinterest, Twitter and any other social media on which they may post, as well as taking a sneaky pic of them, and used it to perform an identity theft.
Worse still, I could have been an actual hacker, intent on gaining access to a specific target and have been on that specific train, knowing that it carried the target personnel and harvested all that of that lovely information on display.
The security professionals need to get the message across to people that information security does not start and stop when with an information device. Information is now so critical, particularly when it relates to identity, that it needs to be protected to the same level, irrespective of the format—badge, log-in, documents or whatever.
There is little point in having a three-stage identity process to log on to a system, if two of those stages are freely available, swinging off the end of a branded lanyard around your neck as you walk in the door.