In New Zealand, workplace smoking has now been abolished and those who remain attached to the habit are required to head outside to congregate in small pockets under, around and on-top-of their place of work.
Whilst not a smoker myself, for reasons that don’t need to be elaborated on here I recently spent a little bit of time hanging out with a smoking posse below a building in the Wellington Central Business District. One of the tenants in the building was obviously an IT service desk (help desk in the old vernacular) and helpdesk jockeys seem to have a high proportion of smokers – possibly related to the amount of stress they are exposed to.
Whilst the primary objective of the carpark sessions was to satisfy their nicotine requirements, the secondary activity – venting – was of more interest to me. Of course, it is entirely natural for people, especially helpdesk operators, to vent frustrations but a large amount of information can be gleaned from such conversations. For example just by listening to the conversations taking place, I was able to find out a wide variety of security related information:
- Who the inferior helpdesk operators were – the ones who did not follow the password reset process correctly and could be coerced into performing a password reset without proper verification. One particularly inexperienced operator had sent a hardware authentication token and PIN to the wrong person without checking the details.
- One of their clients was having trouble with their Internet perimeter solution and had to disable their resiliency (making them vulnerable to denial of service scenarios).
- At one point, a system failure of their management system left them in a position where they could not monitor systems for security, availability, performance etc. The staff even complained that it would take them more than 3 days to reprocess event logs to catch up all events and at the end there would be a flood of security service desk requests to action.
- How the CEO of one client kept losing his laptop.
Although this kind of knowledge does not immediately expose the IT vendor’s or their clients assets in a way that a virus or web site compromise does, in each case the information gained can be used to potentially gain access to resources not intended.
So what does this mean? Whilst many would like to see smoking banned altogether, this doesn’t resolve the fact that similar conversations can happen anywhere. This is really a reinforcement of some age-old lessons:
- Technology such as firewalls, intrusion detection, strong authentication etc is only one component of Information Security.
- Equally important is Information Security Education.
- Information Security education should be commensurate with the role that the staff member (or client) fills. For example, IT staff who have access to security relevant information (such as service desk employees) should have a higher degree of education of how the information that they receive can be misused.
There are also lessons for employers that can be taken from this kind of scenario. For example, staff working in high pressure environments may need a place to vent that will not compromise security or reputation. In some cases, employers will include a “debrief” process where staff are given a chance to vent prior to leaving the work environment.
And of course, anyone who abuses information gleaned from this scenario deserves the results of the second hand smoke ….