Having just finished writing and submitting my final project for ISE 5300 (MGT 413), I seemed to be hyper focused on insecure behaviors in public. One of the big class take-aways was being able to focus the training content on how these risks effect the employee outside of work. If you can show how attacker will go after their personal email or Facebook account, those secure behaviors will carry over to their corporate accounts as well.
This past week was a heavy travel week, but provided some unique observations. What better place to see how people use both personal and corporate assets than the airport? Over the course of a week I was able to observe people in three different airports, each in a different country. This surely provided a good mix of cultures and backgrounds.
I arrived a bit early to the first airport to catch up on work once I was settled in, and I ended up being at a gate at the very end of the terminal. For about an hour, there were only a handful of people in this area – a great setting to focus. One individual seemed to have the same idea, except the work they were catching up on included calls that seemed to be with other teammates. Mildly annoying in public, but everyone has to make phone calls at some point. The reason why this person is making the blog post is the content of these calls… This concept was captured really well by this TurkCell poster:
Traveling employees absolutely need to be made aware of the risks of discussing client details in public – you never know who may be listening.
The second observation came courtesy of the “Executive Lounge” in the hotel. Perhaps the person thought this was a secure space, but it was certainly not secure enough to leave an unlocked laptop by itself on a table while they went into another room. Perhaps they figured only trustworthy people are granted access to the lounge. As far as I know, companies do not outsource their access controls to Hilton, so machines should not be left unattended here.
A few take-ways from the course and this week’s observations:
- Employee training needs to be tailored to the individual risks those folks will face. Perhaps not all employees travel for work, but how often do people bring devices with them just to “check in on things”?
- Training likely has compliance requirements, but that should only be the beginning of your program. Employees need to know the real risks – they are the target!
- At the risk of really looking like a SANS fanboy (which I am) the SANS Securing the Human page can be found here. There are a ton of resources and tools you can use to enhance your program.