Security policies must extend outside of the office

As soon as he lurched onto the train, I could see he was having a bad day. It did not look like it was getting any better, because he was already on the phone before he had finished fighting his way to the last vacant seat.

As soon as he lurched onto the train, I could see he was having a bad day. It did not look like it was getting any better, because he was already on the phone before he had finished fighting his way to the last vacant seat.

He was an ordinary looking bloke - slightly dandruff-stained business suit, iPod headphones dangling round his neck, cartoon tie - you know the sort. I did not realise just how dangerous he would turn out to be.

The 8:15am train is always crowded, but at least the new rolling stock is a bit quieter than the old stuff - quiet enough to be able to enjoy everyone else's conversations.

He had meant to catch the earlier train, but his car would not start. I know this because he explained it loudly to someone at the office. "The office" was also having a bad day and I quickly gathered that he was a fairly senior IT manager - senior enough to get angry when other people were also late in on a Monday morning.

Alas, poor Rachel

The mail server was down, the systems manager was missing and someone called Rachel was trying to sort it out. But Rachel, being only some lowly helpdesk droid, did not have the right passwords. Oh, and the web server needed a restart too.

Annoyed, but oddly pleased with himself, our friend whipped out his laptop and started dictating the name and password of the privileged account on each server - together, rather pointlessly, with their IP addresses. Then he waited, snorting into the phone while Rachel sorted things out.

Panic over, he phoned the garage and organised getting the car towed in. From which I gleaned his name, the make and registration number of his car and his home address.

By now he was on a roll so, fortifying himself with a coffee from the trolley, he phoned the bank and paid his credit card bill - giving me his credit card number, current account details and security pass phrase.

All information in

By the time the train arrived at Waterloo he had completely run out of confidential and personal information to divulge to the world at large.

The temptation to give him a slap across the head as I walked past was almost overwhelming - but now there are CCTV cameras and you have to be a bit more careful.

Instead, I handed him the piece of paper on which I had written down all the interesting details - along with a polite "I think this is yours " I did not look back, but I expect his expression is recorded on video somewhere.

I hope I gave him a bit of a shock - I mean it is not the sort of thing a chap should do, is it, listen to another chap while he is on the phone. But I suspect that it was not enough of a shock to make him change his behaviour.

So if this unimaginative gentleman works for your company, here is a suggestion. Give Rachel his job and put him on the helpdesk - I suspect that he could do less harm there.

John Gilbey teaches IT service management at the University of Wales

Related article: From IT geek to security rock star

David Lacey’s security blog
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog
Dealing with the operational challenges of information security and risk management

Comment on this article: computer.weekly@rbi.co.uk

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close