Routine day in the life of Cyber Security Professional; protecting the organization and its assets, making business case for resources, budgets, and totally not being distracted by the latest gadgets nor becoming an ambulance chaser…you get the point. While being busy with daily security related tasks, things were good until they weren’t especially after stepping outside of a badge ONLY restricted access zone.
The Problem:
The problem was only authorized personnel’s were allowed access to these environments. Additionally, the rules are STRICTLY upheld for No badge, No Access. The last person to have violated this rule, was the last person to break the rules. However, I noticed individuals did not have a badge meaning they did not have access to the building. Due to the fact that they did not have access to the building, they decided to stand and wait at the locked door for some unsuspecting individual to provide them with that access. Unfortunately, they got ME. I informed them about the reason why I will be unable to assist with access to the building and stated to them that it would be an issue if they used my badge as a way to leverage access. I mentioned to them that this action is called “Piggybacking” and furthermore, the company has a STRONG policy against people do it. Plus, October is IT AWARENESS training month, so of course I had to do my part.
Sometimes, we as tech people get so caught up in technology and blinking lights that we often miss the non-technical Cyber Security measures to improve physical, organizational and technical posture. Key things based on my observation are as follows:
- The custodian did not have any badge or ID visible available.
- The custodian had work tools in hand which would cause any unsuspecting person to hold the door for them out of courtesy.
- Some members of the team had mismatch uniforms.
What would you do?
Giving someone unauthorized access to any location is a bad idea. So, the answer was automatically a “No”. There’s zero-tolerance policy on employee piggybacking. The powers would have my head if I gave access to a restricted area. Let’s say I went from likable to being the obstacle. Their eyes would sharply point at me with a “I DON’T LIKE YOU” look, plus a “You’re halting the money-making process” look. Then I quickly offer a resolution by asking if they would like for me to get someone with the permission to allow them access on the floor. Suddenly, I was back in good graces. I express my gratitude for their hard-work and then contacted the onsite Physical Security Officer (PSO) who assisted with their access level to the building.
The Resolution and Awfulness:
The PSO provided them with badges to ensure that this does not happen again. I repeated myself this time outside of my head, It’s October and Security Awareness Month so I did my part of the month.