Posted by: David Schneier
compliance, GLBA, NCUA, NPPI, PII, regulatory, Regulatory Compliance, Security, security awareness
When I first started blogging professionally a colleague of mine cautioned that I should avoid posting anything where a client might recognize themselves in any story or example I might relate, good or bad. And so in the years since I’ve gone to sometimes great length to anonymize my content to protect the names of both the innocent and the guilty. When an old nemesis of my industry popped its ugly little head out of the ground last week and inspired this weeks post I realized that just about every client I’ve ever done fieldwork for is likely going to think that I’m writing about them – sadly they’ll all be right.
Why do organizations struggle so mightily to manage the most simple and straight-forward of all controls; their own interior physical space? They’ll spend seemingly limitless dollars on implementing state-of-the-art security software and related devices. They’ll build out robust vulnerability and scanning schedules to root out issues and loopholes. They’ll implement all manner of physical security controls from key-card access locks to bio-metric devices to video monitoring cameras at every conceivable point of entry. But walk through the interior office space and check out what’s sitting unclaimed in the output bins of the various copiers, printers and fax machines or sift through the papers scattered about in wide-open cubicle spaces and you’re likely going to find a treasure trove of sensitive information that’s there for the taking, all without the slightest chance of detection. How is it possible that in this, the era of security enlightenment when security awareness is a recognized corporate initiative being hailed from the upper echelons of the org chart, that all anyone needs to do to steal choice non-public personal information is to simply pick up a stack of papers from any one of the many output devices spread around the office?
I hear about desk top audits where someone is designated to walk the floor and identify when someone has left sensitive information laying about but I never see evidence of it. I read emails provided as evidence during audits that staff is constantly being reminded to secure their work space but while conducting fieldwork I still walk past wide-open offices with loan applications laying about or even the occasional pocketbook or wallet sitting right there on top of the desk. And quite literally every client site I have ever visited has things sitting in printer and fax machine trays that should never be left out in the public space. Does it really make a difference to prevent an online hacker from gaining access to customer data when the cleaning staff can simply stuff dozens of documents with the same information into a garbage bag and sell it to someone on the black market without any fear of detection?
And I’m not sure why this keeps happening?
Seriously, how hard is it to enforce such blatantly simple rules? Why can’t organizations assign an individual to walk the floor before leaving each night to at least make sure things aren’t laying around? Well over a decade ago while working on Wall Street the team I was part of had someone designated each day to conduct a desk audit of a randomly selected floor. If someone was caught with sensitive information sitting unsecured in their work space they received a smiley face with a note reminding them to be more diligent in the future. If they were caught a second time their manager was contacted with a slightly sterner warning. No one was ever caught a third time in the year plus the program was in effect. It took about fifteen minutes for the walk through and the job was rotated amongst a group of people so it wasn’t just one sheriff or one bad guy. It was simple and effective. Perhaps if it cost hundreds of thousands of dollars to purchase and required a six month implementation plan it might hold greater appeal.
It’s been said that an organization is only secure as its weakest link and for most that means they have a significant vulnerability. The only way it can be addressed sufficiently is via a true and robust security awareness program. Sadly most organizations seem content to be security unaware which is just mind boggling in 2011.