Truth 10 Walk right in and steal whatever you like

I doubt it would come as much of a surprise that it is hard for me to go anywhere without paying attention to potential security flaws. For example, when I go to hotels, I can’t help but pay attention to the person being checked in before me. I always end up knowing their name, room number, and what their luggage looks like. On more than one occasion, I have been traveling with coworkers and, using the information I gathered during their check-in, I have been able to commit one type of identity theft and impersonate that person to gain access to their room. Were I a real criminal, I could have stolen their laptop and any other valuables they may have left in their rooms. Being me, I simply steal all their toilet paper and pillows which, depending on the situation, could end up being even worse, I suppose.

The point is that when people think of identity theft, they generally think of the technical attacks via computers and credit cards. However, flaws in physical security can be just as devastating.

I was once hired to test the security of a health-care facility. While management had assigned me to attempt to gain access to the clients’ confidential records, they had assumed that my focus would be on hacking into its network via the Internet. Instead, I scheduled an appointment to be seen by a physician.

When I was escorted back to the exam room, I passed several other exam rooms, most of which had the doors closed, with folders tucked into plastic trays hanging on the outside of each room. The nurse escorting me to my room placed a similar folder in the tray on the door to the room I was in, and then she left. The folder contained my medical records, which the office kept on file. After the doctor eventually examined me, he left me to gather my things and exit to the front desk unescorted.

When I exited the room, I noticed that no one was paying attention to me. So instead of heading toward the door, I went the opposite direction. As I passed by the additional exam rooms, I took each folder on the door and placed it into the briefcase that I had carried in with me. I then turned around and headed back toward the exit, taking any additional folders on the doors that I had not yet passed. Just before I got to the exit, I noticed a room with the door open just to the right of the exit. I walked inside what appeared to be a records room and found a wall rack that contained hundreds more folders. I grabbed a handful and stuck them in my case.

I exited the records room, and as I came out, I almost walked directly into the woman who had originally escorted me back to the exam room. She looked stunned to see me coming out of the records room. I smiled and asked where the exit was, and she kindly pointed me in the right direction. As I walked out the door of the facility, I called my primary contact for that company from my cell phone and had him immediately come take the confidential folders back into the facility. I ended up with 27 folders, each containing the confidential information of a patient. While 27 might not seem like a big deal, I could have been in business for quite some time if I were a real identity thief.

One reason that I have found physical security often fails is that the organization grows too quickly. Many times, the original plan of the facility was designed with security in mind. Customers have access to the public areas, while employees are situated in private areas where they can keep potentially confidential information safe. Then the company outgrows its space, 20 new employees are hired, and suddenly cubes are going up where a reception area used to be. Now the restrooms used by the public are located right next to these cubes, and the separation of public and private areas falls apart.

Another security mistake is the placement of printers in a facility. I have lost count of the number of times I have been at a location under the guise of being a customer, and as I walked down a hall, I passed by a printer with documents still sitting on it. In other cases, there have been small boxes next to the printer where people have placed orphaned items that no one has claimed. The crazy thing is that often these documents contain confidential customer information. I simply grab everything I can, throw it into my case, and continue walking. With this type of theft, no one is any wiser, because when the employees go to the printer and the page is not there, they simply assume it failed to print and print it again.

While the challenge of physical security never ends, here are a few simple tips to help improve the security at your office.

Do not place a fax machine or printer in an area where the general public can have easy access. If the public walks the same halls as the employees, place the printer in a closed room or in a cubicle off the main walking areas. If I can’t see it while I am walking down a hallway, I won’t be visiting it.

If cubicles must be placed near heavy foot-traffic areas, choose the employees who occupy these cubes wisely. Make sure that people occupying those cubes either don’t have access to confidential company materials or don’t leave sensitive materials lying out in the open where passersbys can see them.

In some offices, customers may be required to wait in a common area. Be certain that while they are in this area, they are not able to view any employee’s computer monitor. From time to time, I visit a site that has the customer service desks out with the public. While I am waiting for the next available person, I can watch employees’ monitors as they type in confidential information.

Don’t allow hitchhikers. While most secured facilities already have “hitchhiker” rules, it is rare they are actually followed. A hitchhiker is a person who walks through a secured door on the heels of another person, allowing the person with the proper credentials to give him access. While difficult, enforcement of the no hitchhiker rule is mandatory to the physical security of a facility.

Log off computers when you are away from your desk. The idea that you will only be gone for a minute is a major mistake. If I can gain physical access to a logged-in computer for even 30 seconds, I can load malicious software that allows remote access at a later time. Auto-locking screen savers that engage after 2 minutes of nonuse are a good way to lock down employee computers.

Don’t leave confidential information where anyone can access it. Walk through your facility pretending to be a thief. Anything that you can steal is easy pickings for an accomplished thief.