Is it stubbornness or arrogance? When it comes to developing data and network protection programs, people are the biggest risk factor. In some cases, that concern involves those who should not only know more about potential vulnerabilities and be addressing them for their company, but who play a major role in ensuring IT security plans are implemented and followed ̶ the technical staff.
My intent for highlighting this issue is to point out something many may not have considered, not to bash those who get it and practice safe data protection methodologies. It definitely runs counter to security best practices and might just be a real issue in some solution providers’ businesses, or those of their clients.
Who would ever think that a tech or member of the IT staff employed at a customer site could be a weak link in the security chain? Could their attitudes or actions be a vulnerability? People get fired every day for repeatedly violating protocols, while others get penalized for slip ups (intentional or inadvertent), but some comments I spotted on an industry social media post today make me think there could be a deeper seeded issue that needs to be discussed.
Let me set the stage: the CompTIA Facebook page is used to share a plethora of useful information on the channel and IT industry in general, including news and articles on issues our community cares most about. Last week, one particular post caught my attention: an insightful article from the Society of Human Resource Management, Put That Thumb Drive Down! You Don’t Know Where It Has Been. That piece highlighted an experiment that was part of a recent CompTIA cybersecurity study, in which nearly 1 in 5 people who found a USB stick on the ground plugged it into their computer.
Human nature is to be inquisitive, and despite all the information telling people not to install an unsecured device, disc or program, you know some are going to do it. But what caught my eye ̶ and my concern ̶ were the comments from those who appear to be (or are aspiring to be) tech professionals. Without disclosing any names and edited slightly, here are a few of the responses I found posted below the article:
- “I plug them into my old laptop that runs Linux, and has NO Wi-Fi adapter…once it’s been started a few times and formatted...well, it’s mine.”
- “My curiosity always gets the better of me but this is also why I have an extra computer that I use for this kind of thing and it stays off the network.”
- “Couldn't we just set a write protect in regedit (Regedit.exe) then plug it in?”
- “Use a live Linux CD, erase partition, create new partition, format the USB and enjoy the spoils.”
While I acknowledge some of the fixes proposed in the comments section could work, why would you intentionally plug what is essentially a throw-away device into any device, whether it’s on a network or not? The risk is simply not worth the reward. In this case, we need to go back to the human nature component mentioned above. People like a challenge. Raspberry Pi is a great example. Everyone I know who dabbles with those devices isn’t looking to build a replacement for their own highly functional PC (most have multiple high end laptops and desktops). They buy Raspberry Pi kits and adapters because they enjoy putting things together, taking them apart and, basically, just making technical gadgets run.
That’s what good tech’s often do. It’s not a criticism, just an acknowledgement of their passion for challenging projects or activities.
But could that inquisitiveness get you or your clients in trouble if they don’t fully think through the repercussions of their actions? Case in point, what if the USB device they found were to contain the latest undetectable virus or Trojan? They plug it into a PC not connected to the internet and run diagnostics to prove it’s “clean” and then hand it off to a co-worker or client. It will inevitably make its way onto their machines and networks and be free to do what it wants to do.
The other scenario to consider is what happens if they identify a virus that ends up on the “control” laptop? Unless they safely and completely destroy the computer and USB, it could still end up being used by some unsuspecting family member or friend who finds it in your workshop. Can you guarantee no one will have access to those devices? Consider the “what happens if you get hit by a bus” scenario…
Mindset Versus Best Practices
Solution providers have to consider the repercussions of any security protocol violation. It goes beyond the USB example. Do you have employees willing to experiment with things that could be a security risk for your business or worse, your clients’ businesses? Even if they truly are smarter and more mechanically inclined that anyone else you know, their inquisitiveness could have bad repercussions.
Imagine what could happen if they were to share information like the comments on the CompTIA Facebook page with your clients. It could undermine the best practices and security protocols you and your customers put in place. When those they look to for technical advice disregard well-intended rules, it lessens the value of those requirements.
With rogue IT becoming an increasingly larger concern for solution providers, that type of disregard for security protocols could be devastating. You need your entire team to “talk the talk” and “walk the walk” with network and data protection ̶ and that starts with the basics. Security conversations should happen regularly; in staff meetings and training sessions, in the field, and especially on the client site. In fact, CompTIA makes that job easier for you, your team, and your clients with an informative whitepaper, Cyber Secure: a Look at Employee Cybersecurity Habits in the Workplace. It outlines the increasing complex threat landscape companies face and illustrates the risks associated with employee behavior ̶ a must read for anyone with access to workplace technology (not just the IT people).
The real issue isn’t the fact a few people posted concerning comments on a Facebook post, it’s the rebellious nature that is fairly pervasive in the tech community. The good news? Some get the security risk potential and are willing to share their thoughts, as they did on the CompTIA Facebook page:
- Nine times out of ten a lost thumb drive or memory card are not lost but deliberately thrown, turn them into the police in case there's incriminating evidence.
- Always smash flash drives with a hammer, or crush them in a vise. Or use a small bench device that applies small burst of high voltage to the USB power circuit.
- Reminder. Your SOP should always include physical damage of some sort to prevent access or re-use of ANY and ALL storage medium (digital, analog, or printed) prior to disposal. This guarantees someone else won't pick it out of the trash behind you.
Brian Sherman is Chief Content Officer at GetChanneled, a channel business development and marketing firm. He served previously as chief editor at Business Solutions magazine and senior director of industry alliances with Autotask. Contact Brian at Bsherman@getchanneled.com