Where have all the data gone?
Long time passing
Where have all the data gone?
Long time ago
Where have all the data gone?
Compromised and exploited, every one
Oh, when will you ever learn?
Oh, when will you ever learn?

— After Pete Seeger

Joined up security is not rocket science, but you might think that it was, based on widespread poor company behaviours relating to their customers.

Educating My Bank

For many years I have been frustrated by my bank ringing me out of the blue, wanting to talk about something but “We just need to run through some security questions with you first”.

This is terrible and frankly shocking behaviour. They’ve literally been training their own customers to hand over their secret security information to random people on the phone who claim to be the bank.

And they always sounded so offended when I told them that they have to prove who they were first. They just didn’t “get” the issue at all.

Eventually, I forced them to add a note to my account containing something they had to read out to me if they phoned me. It’s not foolproof, but I do enjoy hearing them read it out because what they have to read to me hammers my point home nicely.

Now, years later, after they’ve actually literally paid the price of customers being socially engineered into revealing security details, they have a campaign running telling customers not to give out their security information like that. When I first saw this I facepalmed so hard I almost broke my nose.

But they got it in the end, right? Decades late, and many (probably millions) of quid short, but eventually.

Déjà vu. Again.

Today I had a call from someone claiming to be from the accountancy firm my company uses. Everything, absolutely everything, about that call set off alarm bells; the noisy background, the difficulty hearing the caller clearly, the rather strange (and definitely unfamiliar) callerID displayed, the sense of urgency, the slight but noticeable latency.

The rats I could smell were surrounded by, and some carrying, red flags. And it followed the same script – just need to run through some security “if that’s OK?” Errr… I think not.

I told the caller to email me since I did not know who they were, terminated the call, and composed an email to my accountant to warn them of possible social engineering underway against their customers.

Just as I was about to hit send on this, an email arrived, very much to my surprise, saying that they’d tried to call me but that I’d hung up on them.

How is this happening?

Noone within these companies is thinking these process through sufficiently. Maybe the people who might instinctively understand the problem are unaware of the process at all. Maybe there is a poor culture which discourages speaking up. Maybe the staff are demoralised and have no incentive. Personally, I’ll always speak up about poor practices like these, whether people want to hear it or not – but then I live & breathe this stuff.

It’s difficult enough to avoid security incidents and encourage good security practices without actively training your customers to be reckless and undermine all that expensive technology you deploy.

And of course, your customers are the hardest to change the behaviours of – because you don’t employ them and have little-or-no sanction that you can apply.

In fact, it’s worse than that: since many companies have effectively trained their customers to behave badly for so long, they’ve almost certainly opened themselves up to legal liability for losses.

Companies: GET A GRIP!!

#joinedUpSecurity #ProcessesMatter #whereHaveAllTheFlowersGone