The Most Cost Effective Security Improvement - The CAT Method
How do you ensure your organization is secure during daylight hours? As I pointed out in this post, criminals and penetration testers will have to decide on a high level question when attempting to gain unauthorized access to a building. Do you want to fight the men or the machines? Meaning do you want to try and break in during the day or night.
The attitude when it comes to increasing physical security the prevailing attitude seems to always be, “More cameras, alarms and sensors”.
However, there are simple, cost-effective strategies that can significantly enhance safety. One such strategy involves empowering employees to be proactive in questioning unknown individuals within the workplace. By implementing a clear policy and incentivizing employees correctly, organizations can foster a vigilant and secure environment.
The Dreaded Security Awareness Training
We’ve all been there, forced to sit through an hour long “security awareness training” where we learn nothing and the only skill we hone is how covertly we can check our phones.
Traditional security awareness training often fails because it is typically dull, monotonous, and lacks real engagement. Employees sit through repetitive presentations or online modules, absorbing little information due to the dry content and lack of interactivity. Without tangible incentives or practical applications, these training sessions become mere box-ticking exercises rather than effective learning experiences. Consequently, employees do not internalize the importance of security measures, leading to a lack of vigilance and a higher risk of security breaches. Incentivizing active participation in security, as opposed to passive learning, can transform this dynamic and foster a more secure workplace.
The Power of Employee Vigilance
Organizations often overlook the potential of their own employees as a first line of defense against security breaches. By leveraging the presence and awareness of staff members, businesses can create a robust security culture. The key is to provide clear guidelines and appropriate incentives to encourage employees to take an active role in security without fear of repercussions.
Establishing a Clear Policy
To begin with, it's crucial to implement a written policy that assures employees they will not face any negative consequences for stopping and questioning individuals they do not recognize or who are not wearing a badges. This policy should be communicated clearly and regularly to all employees, ensuring they understand that their proactive behavior is not only accepted but encouraged.
It is vital that the employees get this promise in writing to avoid any hesitation on their part that they may not be legally covered in the event they actually do stop someone.
Incentivizing Security Participation
Imagine that you are sitting in your office on a typical Monday, its early, your tired and probably much rather still be at home. You have next to zero motivation yet, especially if you haven’t had that first morning coffee.
If I asked you to do an extra task, especially one that isn’t in your job description, I would expect it to either not be accomplished, or be done with the absolute bare minimum effort. To quote the movie office space,
“It's not that I'm lazy, it's that I just don't care. It's a problem of motivation, alright? Now if I work my ass off and Initech ships a few extra units, I don't see another dime. So where's the motivation? And here's something else, Bob: I have eight different bosses right now. I beg your pardon? Eight bosses. Eight, Bob. So that means that when I make a mistake, I have eight different people coming by to tell me about it. That's my only real motivation is not to be hassled, that and the fear of losing my job. But you know, Bob, that will only make someone work just hard enough not to get fired.”
Now imagine I told you and all your fellow employees that I had hidden a piece of trash somewhere in your office, and the person who brings it to me will walk out of the office today with $50,000. Everyone would likely stop what they’re doing and clean that office from top to bottom …. because they were properly motivated.
Unfortunately, employers cannot simply toss an extra 50k at employees monthly to motivate them, so we have to find something the employees want, that the employers can afford to give.
If you won’t be making extra money for finding my trash hidden in the office, what about giving you time? One thing employers can always give is paid holidays, which cost them virtually nothing and is a coveted commodity by employees.
Implementing the Plan
Enter CAT (Catch, Award, Try again), either on a monthly or quarterly basis, I recommend starting monthly and then backing off to quarterly, have either a non employee, or someone the local office doesn’t know wander through the office / building.
The employee who professionally stops them will get something like a few days to a week of paid holiday … its that simple.
By making this a game with incentives the employees covet and genuinely want, this will turn the majority of your employees into actively scanning security systems.
I can personally attest to the fact that businesses who have adopted this policy make my life as a covert entry specialist significantly more difficult, as anytime I attempt to sneak in during daylight hours I find myself stopped every few feet with “Excuse me, I don’t know you, and you need to come with me to security.”
Going One Step Farther
If you decide to adopt this policy, which I highly encourage all organizations to do, I also recommend doing the same type of thing for hidden devices. During a covert engagement, I often leave hidden bugs in key locations:
HDMI devices hidden behind the big TV in the board room
Keyloggers on work stations
Raspberry Pis under printers or in server rooms
etc
Have implementing a hide and seek game with your employees to look for these devices, with the right incentives, makes your employees constantly checking for such devices and I again can attest to significantly improved security from bugging.
Conclusion
Enhancing security during daylight hours doesn't have to be costly or complicated. By empowering employees with a clear policy and incentivizing them with paid time off, organizations can create a vigilant and proactive security environment. This approach not only increases safety but also fosters a positive and engaged workforce.
As I said at the very beginning of this post, this is in my opinion the most cost effective method for drastically increasing security at nearly no cost to the company, while also significantly increasing employee moral.
Training Resources:
For individuals looking for a hands on training that includes all of the above topics, Covert Access Team (covertaccessteam.com) provides training courses focused on physical penetration testing, lockpicking, bypassing techniques, social engineering and other essential skills.
Covert Access Training - 5 day hands on course designed to train individuals and groups to become Covert Entry Specialists
Physical Audit Training - 2 day course on how to setup and run a physical security audit
Elicitation Toolbox Course - 2 day course of that primarily focuses on elicitation and social engineering as critical aspects of Black Teaming
Counter Elicitation - 2 day course on how to recognize and prevent elicitation attempts, and safegaurd your secrets.
Cyber Bootcamp for Black Teams - 2 day course designed explicitly for physical penetration testers who need vital cyber skills to add to their toolbox.
Private Instruction - Focused learning & training based on your needs .