Slashdot Mirror
Ask Slashdot: Do You Use a Smartphone At Work, Contrary to Policy?
Jason McNew writes: I have been in IT since the late '90s, and began a graduate degree in Cyber Security with Penn State two years ago. I have always been interested in how and why users break policies, despite being trained carefully. I have observed the same phenomena even in highly secure government facilities — I watched people take iPhones into highly sensitive government facilities on several occasions. That led me to wonder to what extent the same problem exists in the private sector: Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property. This question has become the subject of a pilot study I am doing for grad school. So, do you use a smart phone or other PED during work hours, even though you are not supposed to? Please let me know, and I will provide the results in a subsequent submission to Slashdot.
--- Sent from my Verizon Wireless Galaxy S4
Question 8. What kind of wearable smart devices do you own (check all that apply)?
If I don't check any, I get a "! This question requires an answer." Alert.
I guess I better go get a wearable smart device.
(Other questions have the same problem)
I've worked a lot of places. I work for the government now.
There's two classes of secure workplace. Actually secure, and pretend secure.
Actually secure places have people who search everybody when they come in, may have thugs with guns guarding the place, have proper access controls and actual consequences. Active network monitoring. Plug something unexpected in and security shows up, not the admin. Violation of policies can result in things like jail, detention, civil liabilities, immediate termination, etc.
Pretend secure places have polices, maybe a secure door, and no real consequences.
When you see people around you at work who are incompetent in your field, you assume that people throughout the organization are often incompetent in their field. When I worked in government, this wasn't uncommon. So you have a lot of rules, many of which are inconvenient to you. Since the *reasons* for the rules aren't ever published, you write off the inconvenient ones as incompetence; you don't believe they're actually any threat at all, and the punishments are sporadic-at-best, so you ignore the rule.
Taken out of the normal corporate workplace, there are rules against phones on airplanes. For over a decade... they simply didn't matter to the plane, and it was easily observable to any traveller, as often, the person next to you wouldn't turn off a damn thing, and things worked out fine.
The reason for the rule was that one phone a mile in the air could try to connect to hundreds of ground based towers, hosing the whole network. Since you weren't able to connect, you couldn't see that; you just used the phone. But since the *reason* for the rule wasn't really published, and the effects seemed nonexistent, people ignored the rule all the time.
That, and holy hell, phones really aren't a security risk. People are a security risk; if someone's allowed to see the same document a thousand times, they can simply memorize it instead of taking a picture. You need to have people you trust; the government simply runs on the policy that no one can be trusted, and (often!) gets far less competent people because of that... ...which leads back to my first point, which is when you see occasional incompetence around you, you assume the rules were written by someone incompetent.
"Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property." - Citation needed.
Just because it could be used in a particular way does not make it inevitable that it will be used that way. In a citation you need to provide solid evidence that this has occurred and that this is a risk. In cases "I" have heard it was an action of the employee in control of the PEDs that initiated the security/IP theft. In those cases that person had physical access to the assets and would simply have chosen another mechanism for theft if PEDs weren't available.
...No, I'm not kidding...at one position (where I was a contractor), I got a link to a 'Policies to Follow' online document, when I clicked on the link, I got a 'You are not authorized to view this page' message. So I wasn't authorized to view the policy I was supposed to follow.
At another position, where I was doing device support (i.e. handling all the physical devices) for my team, I tried to connect to corporate email using my company phone (obsolete, with a custom rom), I got two nasty grams from two _different_ company security groups for the connection attempts.
So, to answer the original poster, that item they have may not be their own, and everyone at the company works around the company rules, because they should have been applied to just a section of the company (or have taken into account the differences within company areas)
Portable Electronic Devices (PEDs) are a huge threat to both security and intellectual property.
But, security is a huge threat to productivity. Is it possible that while the employees were being drilled on security, they were being held accountable for productivity and not given tools that were nearly as productive as their PEDs? For example, everyone likes to yell at the guy who's not paying attention to the meeting because he's texting, but they forget that the same technology allows you to send the on call guy to the meeting and have an 95% chance he will be able to actively participate. The alternatives are to have a second meeting or hire another tech so there is one on call and one available for the meeting.
People immersed in security all day sometimes forget that security is about tradeoffs, not eliminating all sources of "insecurity". A good general rule is that if a security policy is being widely ignored, then it is probably not properly aligned with the organization's goals.
You ask why users break policies. I guess there can be many reasons but for me anytime a policy gets in the way of accomplishing a task, it gets broken.
Another way of saying this is polices are likely to be broken when policies conflict. While not using your smart phone may be a policy, getting your job done is also a policy. In this case people will generally choose to break the policy with the least personal risk. If I am more likely to be fired (or not paid my bonus) if I don't get my job done than if I use my cell phone, I am going to choose getting my job done and use the phone anyway.
If am using my phone against policy, I may also do things that are detrimental to the business while I am trying to hide my phone usage. At a minimum I am wasting time and brain cycles thinking about how to deal with the policy conflict.
There was this movie that among other things was about unintended consequences that can happen if you have conflicting policies / instructions. "Open the pod bay doors, HAL".
I find it interesting that so many people refer to security getting in the way of productivity. What happens of all your security circumventions cause a breach that results in R&D being stolen, the system being hacked and customer personal information released, systems being taken down, etc. These can cause millions of dollars of loss. All your "producivity improvements" may be negated and much more by a breach caused by your failure to follow the rules. I think that the "my productivity is being harmed" people are too focused on their own job and refuse to see the big picture.
This appears to be one of those "conclusion first" studies, especially after seeing all the loaded questions in the survey, (which I could not complete due to the lack of n/a options). I have no confidence in OP's ability to be objective, considering his degree is in security, which relies on companies being overzealous.
I'm a good cook. I'm a fantastic eater. - Steven Brust
When I used to go to automotive plants, they'd search your bags and you weren't allowed to bring cameras in. Once everyone got a cell phone with a camera, they just gave up.
When we had our first kid (2008) they'd look at you a bit snarky if you had a cell phone in the hospital. By the time we had our third kid, there were medical interns texting in the surgical room (it was a C-section). Nobody batted an eye if you had a cell phone, though the signs were still up. In my doctor's office, he uses some kind of program to manage all the patient medical files, and there's a terminal (it's a Mac actually) in every examination room. He leaves it logged in even though there are theoretically steep penalties for violating patient confidentiality. Just looking at the screen you can see his whole schedule for the day. When he comes in, he doesn't have to type a password or anything to start entering data about my visit. Devices like insulin pumps are known to allow wireless connections without authentication, and even if there was authentication, let's face it, it's probably broken.
Not long ago I was doing searches for industrial equipment manufacturer names on Shodan and ended up connected to one of those big wind turbines, somewhere in the middle of the US. No authentication. It was a monitoring dashboard and I didn't poke around, just closed it, but there were suspicious links/buttons on there to access the industrial controls, such as the PLC.
There are so many vectors: web browsing, phishing, thumb drives and phones brought in from the outside, pwnies, wireless, executives taking laptops home or even to China, spoofed OS updates, hardware infected as the point of manufacturing, and those are just some of the ones we know about. There is no real security.
"I have never let my schooling interfere with my education." - Mark Twain