Threat Intelligence Blog

Posted January 14, 2016

employee security training

It seems I’m running a bit of a theme here, and following up my Out of Office Reply blog with another insider threat post. Today I’ll discuss the topic of on-site visitor policy and employee training.

Offsite employees, seasonal workers, and visiting vendors are as common at most offices as the Monday morning coffee line. As it so happens, I sit near the entrance to our office, and being that I am frequently one of the first ones in, I often find myself in the role of ‘Acting Administrator’ (I may add that to my job title!). In reality, I’m just the glorified door opener (I’ll stick with the prior).

Being the Acting Administrator has its perks, like puffing up my chest with self-importance and opening the door for that delivery guy who seems to think I can’t hear him the first 10 times he bangs on the glass. (I hear you Steve… do you REALLY have to bang that loudly?!) It also provides me with a unique perspective on visitor policies.

Picture this: You walk into work and notice a new person in a guest cubicle. You ask around and no one seems to know this person. It’s as if they simply appeared at the desk at which they are so furiously typing.

So, how would your office handle this situation?

If you’re like most offices, the meerkats in the cubicle farm begin to activate. They pop-up, look around, and sit back down, unsure of what to do. Is this a new meerkat? Is it a meerkat from another den? Or could this be a circling hawk? Some may even ask their counterpart in the next cube, “Who’s that?” Obviously, the other meerkat merely shrugs, because similar to the first meerkat, they don’t know.

This scenario highlights that most employees aren’t trained to appropriately deal with visitors as it relates to the security of the organization. Behavioral studies have shown that humans will choose the path of least resistance. Unless otherwise trained, the majority of us will just assume this new person should be there rather than risk asking awkward questions.

So what should one do in this situation? I’m glad you asked! Luckily, there are steps you can take to mitigate security threats from non-employee visitors.

  • Develop a Sign-In Policy: It is imperative that a company has a written policy for dealing with non-employee visitors. Whether or not you can invest in security badges, every company can quickly and easily setup a system – even if it’s just a simple paper and clipboard setup – where visitors and vendors sign-in and receive a name badge (written stickers work too) before entering or being escorted through the building.
  • Develop a Wi-Fi Access Policy: Visitors requiring Internet access should be given a unique guest username and password to access the corporate wireless network. This should only be enabled for a fixed period of time (i.e., 24 hours). Non-employees should not be able to access the company intranet from their laptop or mobile device. Additionally, visitors should understand that they’re expected to follow company Internet-usage policy and refrain from downloading or visiting content from sites deemed inappropriate, offensive, or obscene.
  • Require an Escort and Communicate with Employees: Ensure that non-employees have an escort at all times, whether it is a security guard, the employee they’re visiting, or other designated “minder.” If you’re in a smaller office, have the Policy/Office Administrator send out an email informing employees who will be visiting, if an escort is required, where they will be sitting, and what access they should have.
  • Apply Your Policy Consistently: Applying your sign-in policy inconsistently is as bad as having no policy at all. Who is responsible for the policy? What happens if they are on vacation? Are the badges locked away? Who has access to the keys/code to get them? Ensure you have secondary and tertiary assigned contacts to ensure that the policy can be followed at all times.
  • Make No Exceptions, but Have Contingency Plans: Do you let the vending machine vendor back without an escort? Did a coworker from another office forget their access card? Just because it’s a familiar face or someone who says they’re with your company’s branch in another state doesn’t mean he or she is trustworthy. Ensure you have ‘No Escort’ badges.
  • Train Employees to Verify Credentials: Even if you’ve developed a policy, there will eventually be a lapse in security. It’s vital that you train each employee to verify that new faces in the office should be there. Providing a list of friendly questions will assist in your company security and can help foster interdepartmental relationships. Here are some questions you can ask:
    • Hi, my name is _____. I haven’t seen you before, are you new?
    • What’s your name? Do you have any identification I can see?
    • What department/vendor do you work for?
    • Do you have your badge/escort?

While asking these questions is an important step, training employees to verify the information they’ve gleaned is even more so. If the visitor is a non-employee, your employee should be trained to remain with them and contact the employee they are meeting with or security to verify that they should be in that location. If the person identified themselves as an employee, contact HR or that person’s department head to ensure that they indeed work there, and if available, look them up on the company intranet as well.

Regardless of if your office frequently has non-employee visitors, employees should always be vigilant about keeping sensitive information hidden. This means always locking your computer when you step away from your desk, and even using privacy screens around the office, because not everyone may have (or be allowed to have) the same access to information as you.

Why is this important? The Ponemon Institute recently released the 3M Visual Hacking Experiment[1], which showed how quickly and easily someone who gets past your front door can glean sensitive information [Hint: It can be less than 15 minutes]. More terrifying, they found that 70 percent of the time, employees did not stop the visual hacker, even if they were blatantly taking a picture of the data with their cellphone. That bit of information should give everyone working in security reason to pause, and start developing or enforcing a solid visitor policy, as well as ensuring proper employee training.

By: Robert McDaniel

You May Also Be Interested In…


Additional Posts

Weekly Phishing Report – January 20, 2016

Phishing Report: Top Targets Week of January 10 - 16, 2016 Author: Robert McDaniel In this week's ...

LookingGlass Weekly Threat Intelligence Brief: January 12, 2016

We publish this weekly threat intelligence brief keep you informed on the latest security ...