How’s Your Security Working, Really?

“How can I sabotage my company?”

Nobody wakes up in the morning and asks this. But, employees sabotage their
company’s security posture more frequently than you think.

Case 1. “No Linux on the Network!”

An employee at a large organization asked me very earnestly how to make his Linux computer appear like a Windows machine on the network.

“They won’t let us run Linux on the network anymore. I need to use my Linux machine, so I’ve been doing a bridge from my phone, which they allow. But is there a better way?”

Let’s unpack this. The security policy in the company — no Linux machines — is so inconvenient that people are actively subverting the policy just to do their job.

Now, the decision-makers behind the policy (“they,” as the employee called them) — what are the chances that they’re aware their employees are doing this?

Zero! Who would tell the security team that they’re breaking the security rules?

Sometimes, employees can either follow a policy or do their job. As a manger, CTO, CISO, you may never find out that your employees are working around your policy.

Case 2. Too Many Keys

I recently visited my safe deposit box, held at a branch of a large, national bank.

The teller led me into the vault, and revealed an enormous keyring.

“How do you know which key to use?” I asked her.

“Oh, we mark the keys,” she said. “We’re not supposed to, but we do it anyway.” She laughed.

Someone established that a marked key is a liability — in theory. Meanwhile, in reality, the inconvenience forced a workaround. How much does the bank suffer from a marked key? Not much. But if employees start to learn that security isn’t a big deal…

This isn’t a cyber issue. It’s a social issue. An inconvenient, time-wasting policy will only motivate personnel to find workarounds — and these habits can really escalate.

Are your security policies making you less safe?

A little bit of outside counsel can go a long way. Would you even know if your employees were subverting your security strategy?

If you manage security, get in touch with us. We can help you shift security behaviors on the ground. We work with companies of all sizes.

Nick Merrill (PhD 2018, UC Berkeley) is the founder and managing consultant of Broad Daylight.