CSO Magazine is reporting on an experiment conducted by the Ponemon Institute. They sent researchers disguised as temporary employees, with temporary badges, into 43 offices belonging to 7 companies. The management was aware of the plan but the office staffs were not aware.
The researchers went into the offices, wandered around, took pictures of computer screens, picked up documents marked confidential and put them in their briefcases. The researchers even brought spreadsheets up on their computer screens and took pictures of the screens. All in full view of the office staff.
The security industry calls these ops red teams. Been there. Done that. I know they work. Almost 100% of the time.
And the results ….
But out of 43 trials, the researcher was confronted by a company employee only seven times when taking pictures of the screen, only four times when it looked like they were stealing confidential documents, and only twice when wandering around looking at things on people’s desks, computer monitors, and at printers, copiers and fax machines.
And there was only one case where the strange behavior was actually reported to management.
In a little over two percent of the cases, someone spoke up. 97 percent of the time, they told no one.
The information they collected included staff directories, customer information, financial information, confidential documents and access credentials.
Open layout offices were easier to compromise than traditional offices. Customer service, marketing and sales were the easiest targets; legal and finance were the hardest. IT was in the middle.
The sponsor was 3M and the mission was to see if their computer privacy screens made a difference – the answer is not much.
Things did make a difference included clean desk policies, standardized shredding policies and mandatory training.
And, they did not need to be in the offices so long. They spotted their first target information in the first 15 minutes.
The moral of the story is that we need to deal with the simple stuff before we deal with the impossible. If we fail at the simplest security tasks, there is no way that we will defeat an advanced persistent threat.