Saturday, February 27, 2010

The Security Soapbox

I do a mild amount of travel for business which means that I'm meeting other business traveler folks on my journeys back and forth to San Jose. I'm noticing a trend that I must use this forum to lecture on.

On my flight home last week I was talking with the person sitting next to me. He was some reasonably high raking person at a well known company and I asked him if he had one of those jobs that he spent his life in email or did he set time aside to deal with email and get through as much as he could within that time frame. He held up his (hopefully set to airplane mode) Blackberry and said that it was a device that had changed his life.

He then said something that to me as a security person I found astounding. "I had the security people remove the irritating lockout feature to make the blackberry work better.'

This is not the first time I've heard of this phenomenon, executives who agree to a set of rules to protect information and their companies but can't quite deal with the inconvenience of a PIN or password. It was a request that came often at MegaBank, and I've seen it at other places. This high flying exec didn't work for a technology company, but I imagine his security team thinks he's a wanker just the same.

I asked him if was confident there was no company information on the blackberry. He said "No, all it has is my email; there's nothing secret about that."

Oh REALLY!? I find it hard to believe that any mildly mid-level manager or higher doesn't have people on his team that uses email to escalate issues about the areas they manage. And, I know the "sky is falling" emails would be VERY interesting to their competition or the media.

All it takes is one email that says something like "We aren't going to meet our targets on sales of..." or "The employee satisfaction reports are in, the analysts are unhappy about the decrease in 401k contributions" or reports of team reductions, cost cutting get the idea.

Is his CEO's phone number is stored on the blackberry? What about names and addresses of other executives or clients? Does he keep the user name and password to his bank in a "note" because "Damn, that is so irritating to try and remember"?

I wonder what it is about "execs" that make them forget or ignore that they are privy to VERY juicy information and that the rules put in place for a lowly bank teller or administrative assistant should apply to them too?

If I had my choice of which blackberry to swipe to get lots of good info it would be the guy on the plane vs. the IT guy who never gets to leave the building.

WAKE UP PEOPLE - Just because you're at the top of your game doesn't mean you should avoid basic security measures that are designed to PROTECT YOUR COMPANY.

Heck, even Paris Hilton needs this reminder. She had a smart phone hacked and the private phone numbers and email addresses of her famous friends were exposed. Then last year she lost her Blackberry while at the Cannes Film Festival. If Paris Hilton can't like, manage her phone, which is like, her only, like job...what makes you think you can?

Your security team has the ability to enable a lock & wipe feature on most enterprise managed smart phones. It works so brilliantly, try an incorrect password too many times and the phone will wipe the data. This is slick - while most passwords on smart phones are only four characters most it likely can't be cracked in ten tries.

This lock & wipe feature, while cool is totally useless if you force the removal of the password feature because you are "too important" to be delayed by the 6 seconds it takes to type the pass-code.

So, Mr. High Flying Executive and others like may think you're smart, but you're not.

I hex you!

1 comment:

PNB Dave said...

This public service announcement has been brought to you by tpgal. Slogan: "tpgal: Telling you when you're too much of a wanker to know you're being a wanker."