Your job is your biggest vulnerability
When we hear about major hacks, data thefts, and ransomware in the news, we shudder at how vulnerable we are. It’s no wonder that companies spend billions to secure their operations. If you happen to enter an organization that takes security seriously, it won’t be long before you find yourself in a toxic environment that people are reluctant to participate in.
Peeking behind the curtain of the mystical world of security quickly reveals that the most significant risk factor in every organization is people. This realization immediately leads to finger-pointing, something I’ve seen all too often.
- These lazy developers release code riddled with vulnerabilities.
- Our servers run on a 10-year-old operating system; what are these system administrators doing?
- We are DevOps, and now a Security person comes along… this idiot brings in a bunch of unnecessary requirements that no one will follow.
- Why bother us with security constraints when Jane from finance surely knows nothing about security techniques?
Let’s try to think a bit differently, just for the sake of argument. What if I told you that the biggest vulnerability for a person is a person’s job itself?
The Resume as Pandora’s Box
My job, my work is my biggest vulnerability?
Yes, it is. Think about it. How does a job search start? We collect our personal information like our name, address, educational institutions, previous experiences, contact details into a tastefully crafted document, which we hand over to an unknown and therefore definitely not trustworthy third party. Let’s call this document a resume. What harm could possibly come from this document getting out? Maybe we’ll get a job. :D Or a couple of spam and unwanted phone calls as a bonus.
The Jungle of Software
Every profession is different. But these days, I’m used to being approached by headhunters with an opportunity. A complete stranger writes to us, sending a message asking us to open a link. Download a document to run on our computer. Visit an unknown website.
What do we teach in security? Don’t open links from unknown sources. Don’t download documents from places you don’t trust. And especially don’t open them. A PDF or DOC file might seem harmless, but it’s not, and a quick Google search would show countless pages describing different techniques for embedding malware into an innocent job description.
The big day comes, and it’s time for the interview. We’re asked to install a chat application on our computer. Because of course, the company policy is to use MS Teams, Zoom, Google Meets, Webex, Slack, Discord, etc., for corporate communication. It has often happened to me that I had to install a chat application on my computer that I had never heard of before.
Many are designed for a Windows environment, assuming that I also use Windows. We could discuss which operating system is the most secure, but let’s just say that if I can’t download and install my software from an official package repository, I don’t feel safe about my system. Many hackers try to trick you into downloading and installing some applications to your system. This way they can gain remote access to your computer and can do whatever they want in the future. We should try to install software only from verified sources.
The meeting didn’t go well, and we received no feedback. Now we have software on our computer that we don’t use, but we don’t delete it because who knows when they will contact us again. Or maybe another company uses this software.
Bad strategy. It’s better to delete unused software from the computer. Or at least keep it up to date. But why bother if I’m not using it? This is why a dedicated package manager could save you a lot of headaches. If you do not use a package manager for Windows you should check out chocolatey
Webcam Interrogations
Let’s look at interviewing. We talk to each other with the webcam turned on. Strangers interrogate us about our past. Our previous experiences. Often, the most appropriate answer is: “I’m sorry, I can’t answer that, as it’s a company secret."
We don’t usually read our contracts, do we? :D Questions asked in an interview can easily violate a confidentiality agreement. But the purpose of these interviews is to gain more personal information from us. And how can we be sure that someone on the other side hasn’t pressed the record button?
Every major company must create its own internal training program. It’s in by the way in the security policies. But if they could outsource these trainings or even better they could absorb knowledge it is a huge saving.
In some interviews, we may find ourselves answering questions that easily could count as consulting about “industry best practices”, but we are not getting paid for this consultation.
Just a side note: “You know you’ve made it when people start copying you.”
Cubicle Quicksand
Let’s assume we get the job. And have to go into an office. Perhaps we have to relocate to be accessible. House hunting, and moving is not an easy task. How can we be sure that in a completely unknown city or country, the accommodation provider we found is really going to rent/sell us the place and not make us victims of a housing scam? During the move, how can we ensure that our valuables aren’t damaged, stolen, or tampered with?
This may sound a bit sci-fi, but there are security trainings talking about this. Never leave your stuff unprotected in a hotel room. Never login company sites on public wifi. A job opportunity or a sales meeting in a remote location can quickly turn out to be a trap.
We arrive at the office building. The security service awaits us. The security guard looks at us grumpily. This might give some people a slight sense of reassurance. But the truth is, with a little interest, we could enter almost all workplaces with the phrase: “I’m a contractor and came for the XY company. Could I get a card? It’s my first day. Could you show me where to go?" Sounds secure, right?
This is a different type of social engineering that we do not hear enough. When I first learned about it it shifted the way I’m looking at an office space. Can you notice the QR code on the wall for the company wifi? Can you see all the documents lying on the desks? Can you see the turned-on computer in the corner that you may use if you want to? How can we be sure that no one is going to tamper with our stuff in an office?
Protecting our health should be our number one priority. If we work in an office, one word: Covid.
The Labyrinth of Onboarding
Then comes the onboarding. At this famous event, we get access to various systems and officially become part of the company. A bunch of papers to fill out, and we receive our company email address and password… on paper.
Basics of password management. Never write down your passwords. Surely, we’ve all seen a movie or series where the login password was stuck to the monitor. Who does that? Apparently, every company that hands us the login password for our account.
Online, the situation isn’t much better. When I receive an email on one of my email addresses saying that I can log into the system with this URL, using this username and password, it’s not just that the email is the paper equivalent of the internet, but they’ve also made my personal email account a potential target. Why would a hacker want to break into my email account before? Nothing is interesting in it. Now there is. We should regularly delete such emails and look very disapproving if confidential information is shared with us in this form.
Usually, we will never get all the necessary credentials in the first 3 months. So these passwords and secret shares keep coming this is why getting access to a company email address has a huge impact. We could scavenge for more credentials with it.
A Gift from the BigBrother
More and more jobs come with the expression: bonus company laptop and company phone. In the best case, when we get our hands on one, we immediately look it up and are amazed at what a powerhouse we’ve got. Yet, you need to be a computing genius just to start it up. It takes ten minutes just to get to the login screen. Once the computer starts, it automatically logs into the company chat application. A bunch of pop-up windows scares us. Since all the work we need to do is behind a web application, we open a browser. It takes hours to load, and we can barely open more than one tab at a time. Development environment? Even the mouse lags. Start a test environment? Don’t make me laugh.
What can this computer do? Intel i7, 32 GB RAM. The processor is constantly running at 50%, and more than half of the RAM is occupied.
If I saw this on my own computer, I would immediately reach for the operating system installer and look for potentially data-leaking software, or malware. But there’s nothing like that. The computer’s slowdown is caused by so-called EDR software. Company security baseline requires that a spy software, which sends reports on every single move we make, must be constantly running on the computers.
The Keepers of Secrets
Private browsing? Out of the question. Installing work-related software? Two weeks of constant emailing with technical support. Every 1-3 months, a new login password must be provided, which cannot be one of the previous five and also requires the blood of a virgin. Password manager? Only a locally executable password manager… if you can install it at all :).
Developing a suitable password handling method takes time and it is unnatural for humans. Just as a general guideline, we should use different passwords everywhere. It should be strong. And strong means long. We humans can only remember things that match a pattern. And patterns are predictable and guessable. We should be able to use a password manager and not be forced to do bad practices.
Life and Work Imbalance
Time management and productive work are now requirements. Of course, the best tools for this are various calendars. Every company management system comes with its own solution, which we can use to organize our lives. Except that, in many cases, one thing is not allowed. How to synchronize this with our own lives?
We’ve heard it many times: flexible working hours… Life happens. Anything can come up to anyone at any time. But if we can’t easily add an entry to our calendar, then this is less realistic. Just think about how many opportunities you missed because of this.
Thus, the company calendar often becomes our primary one. Not that anyone actually pays attention to it. See the 2x-3x overbooked times. And the instant meetings.
But what happens when our work is no longer needed, and we no longer have access to our old calendar solution? All our reminders, daily, weekly routines are gone. We have to start over with another, hopefully personal, solution. Which at the next workplace, we’ll again be unable to use shortly.
The Theft of Information
Unfortunately, the time for layoffs comes. We have to return all our previous tools. Of course, the company policy includes that we cannot copy anything from the computer. All those notes. Saved browser tabs. Newsletter subscriptions and saved articles in our emails. All are considered company secrets.
Essentially, we’re being robbed. But we can’t do anything about it. These data shouldn’t necessarily be considered company information. However, few people are capable of taking notes in 2-3 places. Doing the same unnecessary administrative work 2-3 times to save an article, signing up for newsletters, services, and communities. We are stripped apart from our previous identity. No wonder it is so hard. It is almost a funeral for our previous selves.
Back on the job market
We were lucky to have worked for a renowned company. The inquiries come. Recruiters from all over the world contact us. They send various job inquiries. We install programs on our computers to be able to open job descriptions. To talk to them, we install programs on our computer so we can chat.
And how can we be sure that the person we’re talking to isn’t a hacker who found our profile on social media? They saw where we worked before and are just trying to collect knowledge material against our previous workplace. Therefore, the downloaded PDF is a backdoor, and it searches our computer for login passwords and email addresses. They steal our contacts from our phones. And in the interview, we receive questions that, if we were in a war movie, could also be called interrogation.
Conclusion
Truth is a double-edged sword. Security rules and best practices are created for a reason. They are for protecting your and your company’s interests. However, creating good cyber hygiene is not an easy task. Security starts with people. But if we create rules that make it impossible to behave securely and consciously, it’s no wonder many people don’t care about it. So, I think instead of pointing fingers, we should find a solution that is sustainable in the long term. In this case, the long term doesn’t limit itself to just one workplace; it spans a lifetime.