Monday, 25 January 2016

You see, this:

The majority of "hacks" on individuals - stuff like ID theft rather than compromising a company's server - are done by 'social engineering'. This is mostly just an understanding of how people misunderstand the value - and therefore potential harm - of information.

Look at this, for example.

The social engineer was following a script because it worked. But customer service people follow scripts because they are forced to by their employers and this is part of the problem. Their calls are regularly monitored to make sure they stick to the script. This is usually because organisations don't trust their customer service people, largely because they don't value them very highly, pay them very well or treat them like actual people.

Having customer service people follow an inflexible script often creates an excellent attack vector. Once a social engineer knows the script, they can usually find ways to game it. For example, going off piste with someone conditioned to follow a script can flummox them. Gradually coming back to what they're expecting can cut corners as the poor victim tries to get back on script.

If sticking to the script is more important than customer security, then we clearly have a problem.
Here's another example: when I collect prescription drugs from my local pharmacy, protocol clearly dictates that the staff verify my home address. The intention of that rule is to make sure the person at the counter is the one who was prescribed the drugs and the protocol is this:
  • Ask the customer's address.
  • Make sure it's the same as the one on the label.
It's a terrible protocol for all sorts of reasons, but most of the time, it goes like this, instead:
  • Read the address on the label out loud.
  • Ask the customer if this is really their address.
I've tried to explain to the pharmacy staff why this is problematic but they either don't understand or don't care. It's not their fault. They're doing what the protocol says. They're not expected to or paid to worry about security because it's all supposed to be taken care of by the protocol. I've picked up prescriptions for other people - and I've stated every time that they are for other people - without ever having to tell the pharmacist the appropriate address.

Customer service people need to be trusted more and paid more. They need to understand that they are custodians of customers' information and safety. They should be better trained, better regarded, better compensated and punished when they get it wrong. Aside from the punishment part, this is unlikely to happen.

Guidelines are fine, but rules and scripts are not helpful. If your policy is to single out people queuing for a flight that look Muslim (whatever that means) then the terrorists won't look Muslim. But if you single out people who look 'hinky' - who are behaving oddly or there's something that just doesn't seem quite right - there's no easy defense. But, of course, you need properly trained, compensated and motivated people who can put aside their own biases. I'm not saying that's easy.

The same goes in more traditional customer service environments but the word here is "icky". If something feels icky, don't do it. Why is your bank asking for your password? Why is an employee asking for her payroll number when it's printed on her payslip and ID card? Why is a stranger suddenly telling you deeply personal things as part of a request for information? These things should feel icky. If a conversation feels icky, that's when protocols are useful.

Defining "hinky" and "icky" is a mistake, just more largely worthless protocol. So security has to be done by switched on people who are properly managed, trained, compensated, motivated and disciplined. Organisations need to learn from security breaches by investing in evaluation of threats and training of staff. They need to experiment and to innovate.

This is hard. Which is exactly why firms should pay me vast sums of money to tell them how to do it.

No comments:

Post a Comment