Welcome gift or Security flaw?
It’s nice to give your shiny new starter a welcome gift and make then feel loved and valued, right? Many companies do this; it’s all part of the employee onboarding experience. You want to give then the best possible experience, right from the first minute.
How many of you have received a branded gift, like a backpack, reusable mug, pen, notepad etc. with the company logo emblazoned on it? I’ve had a few over the years. I’ve been gifted a branded notebook with my name and the team I work in on the front. Lovely! So thoughtful! Hang on a second…. at the same time I was handed a card that said don’t wear your lanyard outside of work to avoid undesirables accosting me in the street. Talk about mixed messages!
Like a good employee, I take my lanyard off when I leave work, and I only put it on when I’m in the building, yet I’ve driven to and from the office drinking out of a branded coffee mug. My work notes are neatly jotted down in a branded pad, with my name on. Also, I work in security so now everyone who sees that pad knows it may contain juicy info on the security maturity level of the company!
As a parent, I won’t allow my child to wear anything with her name on, much to her disgust. Why? Because it tells potential kidnappers who she is. If a stranger approached your child and said ‘hello, your mum asked me to pick you up and take you home’ hopefully, your child would be somewhat suspicious, how about if they said ‘hello Jemma, your mum is stuck at work and she asked me to collect you’. While hopefully, your child would still be suspicious, they are probably more likely to go with the stranger, after all, they know something so it must have come from their mum, over the huge name badge they are wearing!
People knowing who we are will break down the barriers a little, or at least knock us off guard for a few minutes. Picture this…
Stranger: ‘Hey Jemma, aren’t you @infosecjem? How’re things at Swindon Connect?’
Me: ‘er, good thanks’
The stranger has engaged me long enough to validate the information and can use social engineering to extract further information, like, ‘what is it you’re doing now?’ and because, as humans, we don’t want to appear rude, we are likely to engage, regardless of how much stranger danger was embedded into our childhood. We’d rather share than admit we don’t know who someone is. Welcome gifts are opening up the possibility of data extraction.
Quite often, these gifts are the brainchild of the HR teams, and I get it. It improves your candidate experience. Why would the Security, DP or GRC teams ever be included in such a decision? It has nothing to do with them, right? Us security folk are suspicious beings and may think slightly differently to other business teams, which means this is valuable information. But, maybe, this is the reason the Security people are the bad guys, the blockers. They rarely have a creative solution, only the scary possible scenarios.
The solution isn’t to stop providing welcome gifts; it’s to think outside of the norm. To consider the risks, like a parent who sews their child’s name inside the jumper, not on the outside. Build relationships with the security teams. Security teams must build relationships with the rest of the business. How else can we breed a conscious culture, where all, not just a few consider risks? Not only will we protect the precious information assets, but we’ll also protect our most valuable assets, our people!
Published By
Originally published at https://www.linkedin.com.
