Iris scanner

Organisations focus attention and money on clever security but then go and leave the back door openPhoto: Shutterstock

Written in Bangkok and dispatched to via a domestic wi-fi hotspot at 3.5Mbps later the same day.

You wouldn’t bolt and secure your front door but leave the back door and windows open, would you? Of course you wouldn’t. Yet that seems to be exactly what organisations do with their data security.

Many years ago I audited the security systems of an organisation that I knew was no slouch technically and which was well organised and managed. My initial concern was whether I would find anything to report at all. Would I even be able to get through the organisation’s defences?

The front entrance of the campus was well guarded with a defined reception and holding area. Visitors were issued badges with red stripes while employees had plain blue badges of exactly the same design. All visitors were escorted and had to be accompanied at all times.

On one of my earlier visits I had innocently walked out without handing in my visitor badge. There had been no follow-up. So an hour on Photoshop turned me into the proud owner of an employee badge in plain blue complete with my photograph and fictitious employee number.

So I started my next visit by driving around the back of the site. Within minutes I had located an unguarded entrance. I walked in and made my way around the campus carrying a pack of papers under my arm. My walk was not casual – it was purposeful, as if I were a man on a mission.

Within 15 minutes I had made a lucky find…

… – a skip of unwanted IT equipment. Old PCs, laptops, a printer or two, and an old copier. Rather than try and shift these off site, I took an item at a time to a quiet corner and removed memory cards and hard drives and slipped them into a large buff envelope. All very official looking.

I left the site just as I had entered, returned to my office and began the forensic investigation. I also planned my next sortie with a different set of objectives in mind.

A few days later I was back but this time with a very large travel bag. My target? Waste bins and waste sacks. The on-site cleaning staff had done a great job for me and I removed two full sacks of paper waste without being detected.

A week later I walked in through the front gates, bypassed reception and made my way to the employee restaurant. Here I had lunch: a starter, main course, pudding and coffee at different tables and within earshot of various groups engaged in conversation. Some of their exchanges were more work-related than others, but all were interesting and revealing to some degree.

My final sortie involved walking around some of the organisation’s open-plan offices, picking up what I could by observation and by asking people direct questions. But perhaps most interesting was just travelling on the local train at peak times and looking out for people wearing blue security badges. Sitting near them was all I had to do. They did all the talking.

So my month-long study was completed in three weeks and I was able to start a detailed analysis of what I had gleaned. Those recovered hard drives and memory cards were full of confidential information, including high-level reports and commercially sensitive materials. And that pile of waste paper? It’s amazing what people print and then casually throw away.

Needless to say I was now in possession of account details, passwords, project names and references, and team details including individual responsibilities. The list of revelations seemed endless and was growing longer as I digitally probed the company using an established identity and various external communications channels.

Like all projects of this kind, there comes a point where you have done enough. You have sufficient material to make your point, and more revelations may muddy the case rather than strengthen it. So I stopped and prepared my report.

Presenting my findings was not at all easy but at least no single group could be fingered as being solely to blame. Just about everyone in the organisation was implicated, and everyone was at fault to a greater or lesser degree. The other really good news was that I hadn’t been engaged by the IT or security departments.

So what was the substance of my wake-up call? All I did was highlight how much money and staffing had been concentrated on firewalls, email, document-control systems, and unnecessary and ineffective efforts to control people’s use of technology and applications. While all that was going on, the back door had, quite literally, been left open.