Successful companies work hard to build a positive culture. Happy employees do better work. Additionally, many service-based companies have policies where they never want to say no to a customer. The positive aspects of human nature can be, and often are, exploited by attackers to circumvent security measures.
Here are a few real life examples from SecureState’s Profiling Team as they performed Physical Attack & Penetration Assessments on client sites:
- SecureState easily got to the lobby of a “secure” floor. While trying to figure out how to circumvent the security door, some visitors saw their fake ID badges and asked to be let in. They said that they were in that location for training but the front desk was not answering to buzz them in. A company employee exited the elevator shortly thereafter and buzzed in the waiting visitors. SecureState hid their badges and waited for the next helpful employee to come by so that they could repeat the request.
- While already on a secure floor of an office building with little more than fake ID badges, SecureState attempted to get more information about a company’s phone system. To do so, they entered an empty employee office to make an outbound call on the phone. Just then, the woman who worked in the office returned. While startled to find two random people in her office, she neither questioned nor asked them to produce any identification.
Generally, companies want employees that are happy to help out. That are non-confrontational. That assume the best in people. However, these exact qualities consistently allow SecureState, and potentially real attackers, to get around physical security.
After many of our security assessments, SecureState recommends the hardening of systems through the application of Minimum Security Baselines (MSBs). Companies typically find it much easier to harden systems than people. And the truth is, there is no easy way to get all your employees to successfully balance being friendly and customer oriented while still maintaining a secure posture. Employee awareness programs are key. And setting policy, like that illustrated below, helps remove the appearance of rudeness from employees.