Theres a security show running in London right now called Infosecurity Europe 2003. As a promotional tease, the organizers of the event arranged a frightening little survey. They went to Londons Waterloo (train) Station and looked for people in business dress with briefcases and other trappings of business and asked them for their computer passwords from work.
75% (gasp!) of respondents gave the password without any further prompting. 15% more were tricked into providing it through a simple course of social engineering, the kind you might do to anyone in a business into which you want to hack. For instance, some people were asked how they chose their password. A self-identified CEO said that he used his daughters name, and then gave his daughters name when asked. Amazing.
Oh, and as a reward for betraying, wittingly or otherwise, their companys security, respondents received a free pen. (I would have held out for at least a t-shirt!)
Horror stories like this actually make me wonder about the wisdom of single sign-on systems. In a way they just allow your users to compromise even more of your systems. But the answer cant be to make things harder or keep them obscure. Clearly the correct answer is to get users to do the right thing.
Of course, security is more than just passwords. The Waterloo survey also found that 75% of workers would look at the company salary database if they mistakenly got access to it and 38% would pass it around. So much for doing the right thing.
And this isnt the only recent example of minimal security competence. The newest mass-mailer worm, Coronex, makes reference to viruses and SARS in the subject line and invites the reader to launch the attached executable, named sars.exe or virus.exe or something similar. Putting aside for the moment the fact that all recent and most old versions of Outlook and Outlook Express have been patched to prevent such mass-mailings for years, I ask still wonder who by now does not know that you dont run such a program under such circumstances?
Some people say that problems like users not taking their passwords seriously are a matter of education, but Im not so sure. People who would give their password to a stranger at the train station would surely give it to someone who called up at work and claimed to be from tech support. Have they not been told that this is a bad idea, or do they just not care?
I tend to agree with Tamar Beck, Director of Infosecurity Europe 2003, that "This survey proves peoples loyalties are not with their employer, they put themselves first. Employees are sometimes just naïve, poorly trained or are not made aware of the security risk. Employers therefore need to create a culture of protecting their information & reputation with policies on information security backed up with training to support the security technology".
There is no alternative to education for problems like this. Your employees are the guardians, like it or not, of your companys proprietary information. If you dont get the message out to them that protecting that information is their job and how they can do that job, they might just conclude that its no biggie and so what if her ex-con boyfriend uses her computer now and then? Theres a lot at risk with a security-ignorant workforce.