Punishment as a last resort
12:00 Wednesday, 16 September 2020
UK Cyber Security Council
Companies with effective security regimes tend to be those with robust cyber risk management: comprehensive risk assessments, well composed controls and thorough monitoring and review.
Those controls include policies that describe the acceptable ways to use the organisation’s technology, and they will usually include details of one or more types of activity that are specifically prohibited: the latter might include using a colleague’s login details, or the disclosure of your own login details to someone else. Training will also probably be given, both in mainstream security and in associated subjects such as data protection or handling payment card information.
People are fallible, though. Controls and training will never solve the problem of people behaving wrongly; they will merely reduce the likelihood.
Sometimes, the controls are faulty. I have experienced several cases in which the “security checks” done by call centres have been poorly designed – generally by using data such as dates of birth and mothers’ maiden names, which are relatively easy for a scammer to discover and then used to impersonate customers.
Sometimes, an attack exploits aspects of human nature that weren’t foreseen. Some years ago, a company I was working with had an office in the USA, which was moving to new premises; I had to call the telco to arrange the various phone services to be relocated. The telco required a password in order to make changes, which none of us knew since the person who set it had left years before. I called the telco a few times and was met each time with the brick wall that was the lack of the password. Then on the sixth or seventh attempt the operator declared my (not terribly posh) English accent “cool”, registered the office move on the system, and reset the password for me.
And sometimes a scammer is highly skilled and uses experience and guile to social-engineer people who are in fact pretty well trained. In the most recent example of a scam call recording I listened to, the caller took the operator in tiny steps, closer and closer to giving away data, so there was no discernible point at which it was clear to the operator that it was time to stop and ask the security questions.
Now, the policies cited earlier inevitably contain text including words such as “disciplinary action” and “gross misconduct” as the potential consequences of failing to conform. But should any of our three scenarios result in discipline?
In the first example, if a call centre operator follows the procedures to the letter but the design of the checks themselves is poor, it seems terribly unfair to punish them if the procedure fails. The third example is similar: the procedure could have been clearer and demanded authentication as the first action on answering the call.
The example of the USA telco operator is less clear-cut, however: the procedure was unambiguous, and the operator clearly failed to follow it. In many companies the immediate result would have been a blunt conversation with HR followed by a tearful and permanent trip out of the front door. And this approach would be diametrically wrong.
Consider first the impact of the failure. There was neither loss nor cost to the company, and the result was a satisfied customer who had previously been dissatisfied thanks to the telco refusing to assist without a password but providing no suggestion of alternative means of authorisation. The consequences could have been negative, of course, but they weren’t.
And look once more at the systems the operator was working with. The operator asked for the password and compared it to the one held on the system. If the password was mandatory, why not configure the CRM system such that the operator was unable to see the password, and make it demand entry of the password provided by the customer before showing the account detail screen? Although the operator acted wrongly, it could be argued that the system could easily have prevented them from doing so.
Of course, none of the above means that negligent or deliberate action resulting in a cyber incident should not be dealt with appropriately, and this may include dismissal and even prosecution. But punishment should be the result of a calm, measured assessment where all options are considered – never the default position.