Unless you’re a valuable or high clearance entity, all of this stuff seems like adults having a fun pretend make believe time. Like that neighbor in a nice part of town who owns multiple guns and has a security system set up to protect his maybe… $2k worth of jewelry. And if you say stuff like this, there’s always that one guy who chimes in about that one time when it actually happened for realsies and they were so glad they had their twenty layers of protection and boobytraps set up.
The thing is though that it takes so little to just avoid things like this. If the security guard actually did his/her work and checked on unknown person coming in to the building. If the company used a password manager to share WiFi passwords (or maybe even Enterprise WPA with certificates), and make sure unused public ethernet-ports are not patched. Then these two very simple things would have made this much harder.
I think the sad part is that they had probably had some security guy tell them this already but people where just making fun of him because people don't believe things they can not see - so it takes a "pretend to be SPYs charade" to make people actually care.
> If the security guard actually did his/her work and
Any system that relies on humans always remembering everything and acting perfectly is inherently naive and broken. The security guard isn't there to check badges in a properly secure environment, only to respond to incidents.
"The thing is though that it takes so little to just avoid things like this. If the security guard actually did his/her work and checked on unknown person coming in to the building"
But the lowly security guard also does not want to piss of a higher class being, which is so high, it is above all that.
"How dare you question me! Don't you know who I am?"
This attitude for example is what makes it hard for that low guard.
Generally, if you act, like you belong somewhere and have the right to do so, your are seldom stopped.
The counter defence would be indeed, just follow strictly security protocoll for everyone with no exceptions.
And well, hire professional security.
I briefly worked in security, in a company supposedly with higher standard. Well, I would not hire them, for anything serious. General staff morale is very low, in that low payed sector.
Holding the door for people is so ingrained as a polite thing to do. You really have to tell people not to allow others to tailgate - or install turnstiles/gates that make it impossible. I suspect this would be particularly bad in an office with a hundred people or so - small enough that you're at least slightly familiar with most of the faces, but large enough that you wouldn't necessarily know if somebody got fired. If they're wearing their no-longer-valid badge and acting like they're meant to be there, I can't see many people stopping them.
I don’t want to sound like I’m disagreeing with you because you’re right; just an amusing anecdote from my past:
I worked at a place that stressed this at company meetings - “no holding doors, if someone says they forgot their badge don’t let them in etc”
At one meeting the CEO got up and talked and praised one of the employees because they actually did this to him, the CEO; shut the door in his face made him walk back to his car to get his badge. Was very funny to see a place actually walk the talk on this.
Overall though of course you’re right. People are going to be nice and you can’t stop it.
It’s not realistic to expect individual workers to slam the door in the face of someone walking behind them.
Companies that want to prevent tailgating need to spend the money on mantraps or other infrastructure that is clearly designed to allow one person through at a time.
And yet they still won't care, because most people have zero interest in their job. For those that do? They're lucky, work is fun, and they often love doing the best they can at their job.
So sadly for many only the threat of dismissal forces those unhappy ranks to do their job. Others have a strong work/duty ethic, and will do their best. One thing that can help overall is an entire corporate culture, where everyone is lambasted for such failures.
"You saw that <security guard> wasn't doing his job, and you didn't tell anyone? You're in trouble too!", and so on.
> because most people have zero interest in their job
So. Much. This.
The number of people who do “just enough” to not get fired is staggering.
There is no “work ethic”.
At least in the military when somebody fucks up during training the entire $GROUP gets punished. It doesn’t take long before people start taking “rules” seriously.
There needs to more consequences and accountability.
The military isn’t some place you send miscreants who always misbehave, most of us wanted to do our best and your description of it is petty insulting and inaccurate. We worked together to attain a goal and fight alongside each other, not because we were beaten trained dogs.
Absolutely no disrespect intended at all. Thank you for your service. Perhaps I should have said “basic training” instead of “the military” because that’s the context I was thinking of.
But those engagements would go so much differently and churn would be so much higher if the threat of prison didn’t disallow going AWOL.
It’s a threat of violent coercion, even though daddy never personally hit you or anyone you served with.
It’s how all abusive relationships work, they just operationalized and scaled it to an unprecedented degree.
And then you come out of that abusive relationship with a quick reintegration course and track your duty, but no honor, back to the private sector. If vets weren’t a protected category, they’d be subject to more discrimination due to the warped psyche basic training is designed to produce.
I get what you're saying but it is a known fact that most corporate security personnel make not a lot of money. I work in a nice high rise and our front desk security people make $23-$25/hr.
I think it fits the idiom of "aim for the stars and you'll land on the moon".
If you are the kind of company that has a focus on all aspects of security, and assumes a sophisticated actor is attacking, you will have a better chance at defending against unsophisticated actors.
If you plan your security around only defending 'less-sophisticated' actors then you might quickly find one slips through the cracks.
Value is in the eye of the beholder. All that security does is buy peace of mind, how much you have to spend for that peace of mind is very personal.
Same thing with attitudes to security of leadership teams. And if past events are indicative, there's way more leadership teams that don't give a rats ass about security than ones that do. Particularly when you're holding other people's valuables (data).
i dont think anyone who is well versed in today's threats is saying to the company board members "i mean, really guys, this whole security/risk thing.. all smoke and mirrors... wasting our money on fun and games". BF as a consulting company is pretty fucking on point in my perspective, but if i were going to throw shade at a more broad swath such as the whole infosec industry from <insert stealth / yc funded AI based cyber startup> to <DARPA / Giant AntiVirus corp> I would probably diverge slightly with something more like 'there is so much snake oil, lack of proven and holistic solutions, freemium consumer products shamelessly bait and switch'ing everyday people who caught an infected flash installer online, etc, hiding amongst however many legitimate value propositions on offer that it's like ... when disaster does come, I'd reckon is more or less a coin toss as to whether our investment into CYBERHaxPreventor56000 will have delivered some portion of the price tag in returns to us. Seem like a fair response to your points?
