By: Laura A. Combs, CISSP
The evening Lance Miller’s (a managing partner for a cybersecurity recruitment firm) wallet was stolen, he probably wasn’t thinking about physical security or any other buzz words his company looks for when recruiting potential employees for cybersecurity firms. He was probably distracted with the things most of us are distracted with in the evenings: kids, dinner, pets, household chores, etc. Unfortunately, he left his wallet in his unlocked car and forgot to close the garage door. That, of course, provided the perfect opportunity for an enterprising burglar to find said wallet and pilfer it. Usually, the story would end shortly thereafter with Mr. Miller discovering his wallet was missing, cancelling his credit cards and ID, and probably dealing with some fraudulent charges; however, that was not to be the case. The burglar instead managed to get himself pulled over several times and provided the police with Lance Miller’s ID, which conveniently looked very similar to the burglar. After the mini crime spree, the police, thinking they had their guy, arrested Mr. Miller at home. After a harrowing few hours, Mr. Miller was released with an apology after the full picture emerged.
You may ask why I’m telling you the story of a seriously unfortunate mix-up that had a somewhat positive resolution. The reason is this: we’re not hearing about the great work Lance Miller’s firm, Curity, does with recruiting talented cybersecurity professionals. We’re hearing about him because he neglected to practice basic physical security at home, and that is something that’s all too easy to fall into. I’m certain, like most employees handling sensitive information, Mr. Miller had received information security training in the past. That training normally includes physical security training, but the topic is normally geared toward physical security at work (badges, card readers, clean desk policies, etc.). While it’s essential to train employees on good practices at work, it’s also important to remind employees about practicing good physical security hygiene at home and in their daily lives as well.
An unfortunate incident, like a stolen wallet or identity theft, could have the potential to damage an organization’s reputation based solely on that organization’s association with an employee. This could be especially true for those employees who are seen as the face of an organization. To help prevent this, organizations should incorporate information about practicing good physical security measures in the training regularly provided to employees. Regular bulletins and tips about physical security could also be provided to employees throughout the year. Simple tips such as reminding employees to not leave their cars unlocked at sporting events, or encouraging them to close their garage doors when they’re home could prevent your organization from being the subject of negative publicity.
Laura is a Manager at YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.