If you've worked in IT long enough, you've learned to recognize certain types, people who fit into particular ecological niches. Sometimes they're great, and sometimes ... less so. A couple of years ago I asked IT pros to give me examples of the worst types of people they met on the job, and they were more than forthcoming. Now I've collected specific kinds of insecure employees that infosec workers have had to deal with and protect—or protect their servers from. You'll definitely recognize people you work with on this list. Hopefully you won't recognize yourself.
All those cute pop-up—what harm could they possibly do? "We all know the 'news sites' with alluring but annoying popups," says Eric Brantner, founder of Scribblrs.com. "Some people fall for them and get click happy, infecting their computers with spyware. And emails aren't safe either.
"Almost everyone knows the term 'phishing,'" says Ryan O’Leary, vice president, Threat Research Center, WhiteHat Security, "but the lure of that funny cat video link, or the threat that your Google password has been compromised, is just too great for some people. Once the link clicker has been victimized and malware installed, your entire company's network is now compromised."
Sometimes employees who fancy themselves tech savvy are the most likely to engage in insecure practices. Scribblrs.com's Brantner points to people clever enough to set up pirated streaming sites on their work computers—"and nothing says 'virus' like pirated streaming sites."
Dodi Glenn, vice president of cybersecurity at PC Pitstop, points to users who "torrent software/keygens/cracks illegally; these pieces of software are often riddled with malware. They install remote administrative tools like VNC to connect to their work computer from home, but fail to implement proper security best practices. These employees often open up holes into the company's network unintentionally."
In the same category, says Resilient Network Systems CEO Ethan Ayer, is the person who knows security is important—but doesn't trust their own IT department to implement it properly. "Instead of patching their PC or updating to a new software suite mandated by security," says Ayer, "they decide to research it themselves for two weeks in order to make sure it's good enough for them—and hence they get compromised."
Sure, lots of people love weak passwords, but execs tend have the clout to resist demands that they change them. Nancy Hand, a retired network engineer who worked for a regional utility company, had to deal with "a VP who didn't like that we'd instituted an eight-character minimum that had to be changed every 90 days and wouldn't accept a repeated password. He wanted to continue using the same password he'd used for years for all of the systems and programs he had access to. The password was the letter 'd,' which happened to be the first letter of his first name."
Ajit Sancheti, CEO and co-founder of Preempt, says that "to cultivate a cyber-secure culture, C-level executives must set an example of implementing proper security measures, like using stronger passwords."
Mike Patterson, vice president of strategy at Rook Security, points to "the person who doesn't lock their computer when leaving the room for a short period. It's not as bad as leaving a password sitting around on a post-it 24x7, but it still presents a window where a person can swoop in to use their computer for any desired purpose. Auto-lock should be mandated and kept on a very short clock to prevent this."
It's not just the risk that someone might come by and start typing; Hand recalls that "we had the guy who never logged out of anything. You couldn't tell if he'd left for the day or was just down the hall; we could never reboot so updates could be applied to his machine."
Gunter Ollmann, CSO, Vectra Networks, chastises "the person who holds open a secure door to for a slow moving 'employee' without checking for a badge. One of the easiest ways to infiltrate a secure building or data center is to appear encumbered (e.g., having both hands full with boxes) and wait for an authorized person to open the door for you."
And it doesn't just apply to physical doors. Hand recalls a manager "who, instead of requesting that her clerk be given access to some programs, simply told the clerk to use her ID and password. The clerk had then gone someplace 'inappropriate' on the web, encountered malware, and triggered alarms. It wasn't until we accused the manager of the misdeed that we learned others were using her access."
Eric Turnquist, senior director of IT at Ipswitch, knows which insecure type is the scariest to him: the ones who don't realize that email is "insecure and lacks auditability." "My company did a survey that found that 84% of employees are using personal emails to send sensitive files. These individuals, unknowingly, are opening a huge security hole that increases the likelihood of a data breach."
Everyone knows that passwords and authentication are good, right? Well, yes, but some people stop thinking critically once authentication is in place. Tony Gauda, CEO of ThinAir, describes the mindset: "A user is either authenticated to perform an action, or isn’t, and those who are authenticated can do no wrong when operating within their workflow. This type of mentality leads security teams to turn a blind eye to employees with wide-ranging privileges, which can have devastating consequences. The case of ex-NSA contractor Harold Martin, who stole 50 terabytes of government data over 20 years, is likely the byproduct of overconfidence in authentication technology."
It's something of a cliche: the person who writes their passwords on a post-it note and leaves it in plain sight. Some people are just forgetful, but Vectra's Ollmann describes how business pressures and processes can lead to this outcome: "This helpful team leader with slightly privileged account plasters notes with their password on the pole inside the cluster of cubbie desks their team operates from. Then, the team can post and clear transactions on her behalf if they're too busy or unavailable, so they can meet their monthly performance plan objectives."
Renee Bradshaw, manager of solutions strategy at Micro Focus, is suspicious of social media: "Whether an employee is regaling Facebook friends with details of all the stops on their latest business trip," she says, "or giving a friend login credentials via instant message ('so that I don’t break my Snapchat streak'), providing hackers a trail of personal, locational, login, and other information is never a good idea."
Problems go both ways: Yaniv Sulkes, AVP at Allot Communications, says that "those who turn to social media for their news or updates will also be tempted to click and share photos, documents, and other files that could be infested with malware, but will never question it since they come from trusted friends and colleagues."
This may be hard to believe, but Amy Baker, vice president of marketing for Wombat Security, says you need to watch out for employees who just plug mysterious or unlabeled USB dives into their computers. "Unlabeled USBs pose a huge threat to organizations if they are not handled appropriately," she says. "If you don't know where a USB comes from, who its owner is, or what might be on it, don't plug it in to your computer. Always check with IT to see if they have any insight, and be sure to let the team or larger department know if unlabeled or mysterious USBs are something you’re seeing more often."
This may be a stereotype, but sales staff tend to be among the less technically savvy employees in an office—and that spells trouble, given the incentives involved in their jobs. "Sales representatives are constantly looking for new leads and new opportunities, and are willing to click on anything that even remotely promises new business," says Scott Youngs, CIO of Key Information Systems. "However, the bad guys know this and will try to exploit their eagerness. Their lack of tech savvy also means they're the least aware of how the bad guys work, making them ideal marks."
Companies need to accommodate people who want to bring their own device—but employees need to meet IT security halfway and acknowledge that devices with company data on them need to be secured, wherever they are. Trent Fierro, director of security and software solutions marketing at Aruba, in particular points to "a BYOD user that shares their devices with kids, spouse or others, or who uses that device to download gaming apps and worse."
Finally, you can lock down your employees, but modern business often involves outsourcing to contractors either local or remote. "Collaboration is necessary and beneficial for any company," says Vishal Gupta, CEO of Seclore, "but often involves sending customer data and intellectual property outside the company firewall and beyond the reach of a company’s data security and governance systems. Once these sensitive files are shared, they can be easily exploited, either accidentally (e.g., someone loses a laptop or sends a file to the wrong person) or maliciously. Our company did a study that found one in four employees saying it's very likely sensitive data has been stolen by third-party vendors. Sometimes the worst offenders are your 'trusted partners."