Countdown to Zero Day
Sometimes cyber attacks slow down a nation’s path to nuclear weapons. It’s exciting, and book are written about it. Most cybersecurity situations are much more mundane and are the result of human error: opening emails, clicking ok on operating system prompts, or running programs when you shouldn’t.
Reading about cyber security made me think of my own job. It’s retail and not of any particular importance, but a conversation about granting permissions on made me see how most often people choose convenience over security without even batting an eye or asking any questions.
Since the beginning of COVID our store has been screening every employee at the start of every shift for COVID symptoms. Think about asking the same questions to 200+ employees everyday. It was time consuming and tedious. At first the answers were recorded on paper, but a few weeks later it switched to a Google Form. This was better but still relied on some paper. Everyday I created a paper list showing each shift. A manager would then highlight off each employee’s name after their screening. Still pretty tedious.
Fast forward six months and someone created a spreadsheet macro in Google Sheets that would automatically coordinate between the Excel spreadsheet from payroll, containing all the shifts, and the Google Form health answers. Instead of tracking down a manager for the health screening, now employees went to a self-serve kiosk to answer the questions on a tablet. Between the entire management staff this process saved hours of work every single day.
However, this convenience came with some potential security risks. When initially setting up the spreadsheet it required permission read, write, and delete all emails from that users gmail account. It also required access to all documents stored in the user’s Google drive.
That seemed excessive to me so instead of immediately hitting ‘accept’ I asked my manager. His answered with “well I have nothing to hide, hit accept under my account.” He perfectly echoed the popular misconception that security is only needed when trying to hide something. I hit accept and granted the macro access to far more information and power than it needed for its simple job.
This example is a far cry from the importance of the Stuxnet virus or its elaborate behind-the-sceens maneuvering. But still, it reinforced my belief that if someone has to choose between convenience and security, most people will choose convenience. This tradeoff might not matter to retail, but it should for systems running our nation’s critical infrastructure, like electricity, gas, water, traffic, etc…
