I'm sure that everyone out there identifies with the title of this article in some way. We've all faced an issue where we were trying to get the attention of someone outside of the security field, so that they would pay attention to some sort of digital security issue. Basically, they were outside of the digital security field and decided not to care about it. Until it breaks and heads start to roll. I had three such incidences in the past month. Let's take a look at them together. Afterwards, you can relay your problems with those outside the security industry in the comments below; maybe that way we can figure out a way to talk to these people.
When HR doesn't want to manage human resources
I've been working behind-the-scenes with a startup as it builds itself from a small company into something much larger. They recently brought on a new person to manage Human Resources. This is the person responsible for keeping track of everyone's information, making sure it's safe and ensuring that everyone adheres to proper procedures. I logged into a database that this person built. But what did they have in that database? Photographs of people's government-issued IDs. These documents included their addresses, phone numbers, everything – just sitting in a regular database with no password protection or encryption. I thought that was pretty bad, but I was not hired to manage that sort of stuff. Then came the day for me to include my government-issued ID in the same database. The conversation went something like this:
HR: Thanks. I will also be needing a copy of your ID (front and back) for BHR. Me: You're not giving up on that ID, are ya? I am uncomfortable giving out information that personal and having it displayed freely on APP1, APP2, or hosted on servers whose security protocols I am unsure of. HR: Yup. I need the ID of all employees/contractors for APP2. Me: And I need to protect myself from identity theft. What can we do? HR: This is hard. Me: It is. I am honestly shocked to see people's passports freely displayed on APP1. HR: Maybe you shouldn't be in that APP1 lol. We need the ID because of the non-disclosure agreement and, of course, for us to know they are who they say they are. Me: I don't think anyone should be on it. With all of the employee data leaks going on, it's time to take a hard look at where this data is, who has access and if it even needs to be there. HR: You have a point. Me: Studying data access and infosec weaknesses, is one of my jobs here.... HR: A separate board might work. Not everyone has access to those info unless they will be added.... Me: Hackers don't worry about being added. The key to data protection is not creating the data in the first place or limiting how many places it is displayed. These are questions that must be answered, especially by the person (you) who is in charge of handing it securely. I don't want to sound harsh, I want to help protect everyone. It's why I worked in high-end security for years and years. HR: Got you. I don't think there's a better way to protect any data aside from not creating the data as you have mentioned. In my end, I also need the ID as a company requirement for the employees/contractors. So, what do you suggest? Me: Look at your data flow:I think about this stuff; it is why I worry about identity theft. People that don't think about this stuff become victims. I think all storage on APP1 servers needs to be cut. If you need it for APP2, leave it there. It's in enough places as it is, as you can see above. It was easier in the old days. An HR person photocopied your ID and stuck it in a locked drawer. Very minimal infosec risk. Now? HR: Thank you for your time. Let's talk more next time if you're available. Me: Again, I don't mean to give you a hard time. But seeing those passports up on APP1 alerted me to the fact that data handling and employee records may need a look at, especially with information so ripe for identity theft. I appreciate you taking this seriously and discussing it with me. HR: I understand where you're coming from and I appreciate you sharing this info with me.
- The image is taken by the employee. Likely using a phone so the ID ends up on their cloud.
- It's shared on APP3 or through email, so it ends up on the APP3 or email server.
- It is put on APP1 and displayed for those with who knows what access. (Like me)
- It is in the APP1 servers.
- It's on the APP2 servers for another infosec leak problem.
- Did APP4 take a screenshot while my image was up? Another server with my ID...
And then this person proceeded to completely ignore my advice. He will keep on doing this… until it breaks.
Digital marketing is awesome… Now let's forget that it's digital
I was recently in discussions with a prominent marketing magazine. I was proposing a basic article on how people can protect their digital marketing platforms, such as Twitter, Facebook, YouTube, etc. That particular section editor I was speaking to dealt exclusively with digital marketing. I had contacted this person on purpose. People who read the section this editor dealt with deserve to know not only how to improve upon their digital marketing but also how to improve it overall. Wouldn't it be funny if improving it also meant not being hacked? I brought up a number of points in my proposal related directly to brands and prominent business leaders that had experienced a digital marketing hack:
I pointed out that all of these businesses and business leaders could've saved face by taking better digital marketing procedures – that wasn’t important though. They just wanted to continue cramming the same old content down the reader's throats again and again without offering them anything new that would protect them. They didn't want to hear anything like:
- Forcing employees to use strong passwords
- Using a password manager tool
- Using two-factor authentication on the main accounts
- Routing employees through one main dashboard rather than several to better control their access
- Teaching employees about phishing
- Educating employees on the dangers of public Wi-Fi and not using VPNs on them
And a number of other basic things that would be obvious to anyone who goes to websites like Tripwire regularly. This particular editor was happy with things… at least until they break.
One last time… Without feeling
I seem to be a glutton for punishment. The above two instances were not enough to turn me off to speaking to people outside of the digital security realm. This time, I decided to speak with a publisher that dealt with employee training. Having me speak to them about training employees for basic digital securities seemed like a good idea. I wanted to bring up things like:
- Basic digital security: Using antivirus software that updates regularly, turning on firewalls, being cautious of links in unknown emails and avoiding unknowing USBs.
- Authentication issues: Locking down devices with passwords, two-factor authentication, restricting who can access devices, and educating employees about proper physical location security.
- Use of encryption: Using VPNs to encrypt yourself on public Wi-Fi connections, using whole-disk encryption, and making sure that they are choosing encrypted cloud providers.
All of that and a little bit on phishing and backing up your data – some pretty basic stuff, but this particular publisher was not interested in this aspect of training employees. I started writing a follow-up message that would underscore the importance of this… but I ended up saying “to hell with this” and signing my name. True story. After that dismissive message, they quickly wrote back and said that they had reconsidered. Which is interesting; I never thought that not caring would make people care. There's some psychology at play there that I have not gone to school for.
Speaking to someone in digital security
I recently had the pleasure of speaking to a new friend who is directly involved in the IT administration of a major hospital. I told her the first story from above and she just shook her head and laughed the whole time. She was involved in digital security. She got it. The HR person? Still doesn't get it. He also still isn't going to get my government ID. What have we learned here today? Good question. If you are someone with more patience than I, you can keep pushing and eventually get through to some people. If you're not patient, you can give up, let people know that you've given up on them, and it may bring them around. Until then, no one will care about digital security… until it breaks and they come to us with the audacious claim that WE didn’t do enough.
About the Author: Marcus Habert (@MarcusHabert) is the online security writer and analyst for the Best VPN Provider Online Security and Privacy blog. Catch him there every Wednesday for the latest developments in the world of infosec. You can also join the team on Twitter for a constant stream of what’s happening in online security and hacks.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
