Sweet-toothed employees willing to exchange passwords for candy

Is your network secure enough to fight off chocolate?
The short answer: probably not. Even with all of the security-related news in recent years, Infosecurity Europe’s now famous experiment (it just completed the sixth one), shows people are still willing to divulge questions about corporate security in exchange for a chocolate bar.

The problem is, of course, that computer users are remarkably ignorant when it comes to security. Curiously, many IT people refer to users as being naïve on the topic, but that’s not correct because naïve is defined as “marked by or showing unaffected simplicity and lack of guile or worldly experience … lacking information or instruction.”

In other words, naïve implies innocence about the workings of the world.

In reality, unless they are troglodytes users must have heard about identity theft, hackers, security breaches at financial institutions, retailers mislaying consumer data, because these topics are on the radio, in magazines and on television constantly.

Even so, it appears that for the majority of users, this crucial and what should be easily understood information goes in one ear and out the other with apparently no resistance. They are not naïve, they are willfully ignorant.

OK, so here’s the question: Exactly how ignorant are they? The experiment found that out of 576 people questioned this year, 21% were quite happy to reveal their passwords in exchange for candy.

But maybe some of the dire news of late is sinking in, because that number is a heck of a lot lower than when the same experiment was conducted last year. Back then, a whopping 64% of the respondents were willing to give away their passwords. It seems that users have never paid attention to their mother’s advice about strangers and candy.

A curious aspect of the results was that, of those willing to trade away their passwords, women were 4.5 times more likely to spill the beans then men. Even more astounding was that 61% of all people surveyed happily revealed their date of birth!

And when asked for their names and telephone numbers for a draw to go to Paris, 60% of men and 62% of women coughed up. Obviously at this point the researchers could have taken the data they had collected and had endless fun with the respondent’s lives.

Here’s the thing: These stats probably apply equally to your users right now, and not only could this state of affairs place your company at considerable financial risk and jeopardize your career, but they might be doing so even as you read this column!

Here are four things you can do to minimize the security risks from your users: First, educate, educate, educate. There is no substitute for informed workers, and telling them once a year won’t be enough.

Of course if you tell them the same information in the same way every few months you’d be making a mistake: You need to be creative and entertaining if you want the message to sink in. Try giving them candy, it seems to work.
Second, make them sign an agreement that has some teeth. Something along the lines of, “If it is found that I have jeopardized corporate security through my stupidity I understand that I will be thrown out on my ear” (human resources may want to fine tune the wording).

Third, reduce or even remove your reliance on user names and passwords as access controls. Fingerprint readers and swipe cards in addition to or instead of account names and passwords will provide insulation against users revealing their account details to a third party.

Fourth, warn your users about strangers with candy.

Gibbs avoids strangers in Ventura, Calif. Confess your sweet tooth to backspin@gibbs.com.

Share on LinkedIn Share with Google+