At Anchor Security Team we provide free security Audits for our client's benefit. One clear benefit that our clients have received as a result of our security audits is that we have spotted one glaringly obvious security risk that is actually very easy to fix. We find that a fairly standard habit of most people is to walk away from their device without locking it or powering it down. As Cyber Security Professionals, we see this more often than we should, and during the rare occurrence that it happens at Anchor Security Team, we are quick to correct it.
You may be thinking "this doesn't seem like a big deal, why should I fix it?". During our free Security Audits, the people we talk to say the same thing. Most often the excuse is that that were only stepping away for a minute or two at most. In their own words, to grab a cup of coffee, answer a phone call, or make a copy. So if the employees device is only open for at most two minutes why is it a security risk?
Two minutes may not seem like a lot, but to any person who would like to steal sensitive information, it is more than enough time to get what they want. Most companies have a clear separation between where employees work and where clients are able to physically access, but modern businesses tend to blur this line. For Example, most modern real estate offices operate with this line blurred, and maybe your business does too. Take a minute and think if you have ever seen a client or a vendor or anyone who wasn't an employee in your work space. Did this person seem out of place, or would you even question why that person was near the desks of your coworkers? All it takes is one non-employee seeing one piece of sensitive information for your company to be at risk.
Worse still, if your computer is left unattended and unlocked, your computer is completely vulnerable. If someone spotted this, they could use it as an opportunity to install whatever malicious software they wanted on your computer. Then your computer is compromised and depending on the software installed on your device, all of your coworkers' devices could be compromised as well.
There are many ways to train yourself and your coworkers to lock your computer when you leave. You can even use a keyboard shortcut to make it easier (Windows button + L if you use a Windows computer). At Anchor Security Team, we take a slightly different approach. Not only do we want our employees to keep their own devices secure, but also we want them to be able to communicate the importance of locking devices before they are left unattended. If they understand how important this seemingly small security risk is, then they will be able to communicate that clearly to all of our clients.
When we notice that someone has left their device unlocked, I jump right into action:
Everyone laughs when they notice what’s about to happen. They see someone walk away on a phone call, with their laptop open to whatever they were doing seconds before. They see me reach into my laptop case, and pull out a small USB drive. A few seconds later, their computer is quite different from how it was left. Using a USB drive with software I created on it, I launch pranks on them. I plug the USB Drive into their computer, which has no physical protections now because it is unlocked, and within five seconds unplug it and go back to work. Now, these pranks don't do anything malicious, but the prank is not the point I am trying to make. The point is that anyone with a malicious USB drive could do the same thing to your computer, but this time it will be malicious software and your entire network would be compromised.
The pranks usually start with something simple, like whenever they minimize a window their laptop makes a screaming sound. It is easy to get rid of, and it's easy for them to just mute their computer until I help them fix it.
If I get the opportunity to get them a second time, I add a few “features.” Maybe I change their desktop background to a picture of me in the Captain Morgan stance, or make maximize, minimize, low battery, and many more actions now cause their device to scream.
This may all seem like fun and games, but it's at this point that I sit down with them, show them how to reverse the software, and try to understand why they keep leaving their device unattended and unlocked. I use it as an opportunity to teach them about the software I created, the importance of locking your computer, and also the importance of having a little fun with your colleagues.
Physical access to devices is one of the easiest methods of hacking and obtaining access to a network. Imagine what could be accessed, or what damage could be caused if they had physical access to a company laptop or desktop.
When you see an unlocked computer at your work, make sure to use it as a learning opportunity about the dangers of unsecured devices. Your coworkers, employers, and clients will thank you for being more secure. So remember, lock your computers; I won't yell if you leave it unlocked, but your computer might yell for me.