Doveryai, no proveryai. “Trust but verify,” as Ronald Regan said.
And, as much as I admire the Gipper for his role in helping to end the Cold War, “trust but verify” doesn’t really make any sense.
In fact, in most business situations, trusting is a big mistake: there is almost always a need to “make certain”. And if you are going to do that then you are not really trusting.
Trust can be the bane of the security professional’s life. People tend to trust other people all too easily. And of course, not everyone should be trusted.
That’s not to say all trust is bad. But some trust definitely is. And if we are going to manage the problem of trust we need to think first about the different sorts of trust that people show.
Different types of trust
Trust comes in many different forms. Understanding its nature can help us manage it.
Sometimes it’s right to trust someone. Perhaps you have experience of how they have behaved before. Perhaps they can demonstrate evidence that they deserve your trust – such as a reference from another person, someone that you have reason to trust.
Trust in the right place is a good thing. It is a short cut, an efficient way of working. Being too distrusting means that you will be asking for proof when you don’t have to and that will simply put barriers in the way of getting the job done. Trust people if they are trustworthy.
Sometimes we trust because we have been instructed to do so. “The telecom engineers are coming in today: give them access to the server room”. So we trust them.
In this case someone else is making the trust decision for us. Of course that doesn’t mean we shouldn’t raise a concern if something looks wrong but depending on the culture within our organisation we may be inhibited from doing so. After all, raising a concern would be implicitly criticising a colleague.
It’s part of the human condition to trust people, even when you have little or no reason to do so. Our caveman ancestors might have argued: if that human over there isn’t actively threatening me then he is probably on my side against the sabre-toothed tigers.
Perhaps it’s because the modern world is a little more complicated. But trusting people, unless they are obviously a danger, is naïve. Most of us know from experience that there are all too many people who will take advantage of our good nature. But they smile at us and we go on trusting just the same.
Also of interest: How to spot phishing attacks
Sometimes we trust because everyone else is doing it, and so it seems the right thing to do. Everybody tells us that “The customer is always right”, that we should accept what they say. So we trust them because we feel that it is expected of us. We see other people trusting strangers and we go along with the social flow because we don’t want to look different.
Sheep are quite trusting too; and so are lemmings.
Everyone wants to be helpful. Especially when someone is in trouble. The trouble is that our empathy for other humans can blunt our critical faculties. It can make us less likely to pick up clues about untrustworthy behaviour, less likely to act on those clues if we do pick them up.
A pregnant woman with a heavy load? Of course, we’ll help her through that security door, even if she doesn’t have a visitor’s badge. Same with the guy in the wheelchair.
And as for that anxious job seeker who has lost the map of where he is going for an interview, of course we’ll print out a new map from that USB stick he has. If you are clever enough you can even use a recording of a crying baby to victimize someone.
Most of the time I just want to keep my head below the parapet. You may well be the same: standing out from the crowd can be unpleasant. So when you see someone who is where they shouldn’t be, it’s a lot easier to ignore it. Challenging them would be aggressive, and you don’t want to be aggressive.
Or worse, you might challenge them, and find out that they have a perfect right to be there. And then you will look really stupid. Best thing is to keep your head down.
It’s not my job. Why should I bother? If someone’s let them through, then that’s nothing to do with me.
Pretty depressing if people in your organisation think that way. But the chances are that someone does.
This isn’t really trust at all. It’s trust used as an excuse to get something for nothing. It’s the trust you have in the hucksters in Oxford Street who are selling perfume at amazingly cheap prices. It’s the trust that people have placed in con artists for centuries.
Greed can mean we trust because we want to, even when we know we shouldn’t. That sort of trust almost always ends in tears.
Trust is a problem for cyber security professionals. And it comes in lots of different forms. Until we understand those forms, until we understand the emotional drivers of trust, it’s very hard to manage it.
Understand what makes your colleagues trust other people, and you will be half way to solving many of the human cyber security weaknesses that most organisations suffer from.
So what can we do? There are a number of ways of reducing the risks that trust can bring and which method you use will depend on the risk you want to manage.
Educate staff. Education is a critical defence. Explain to your colleagues how hackers and physical intruders work. Demonstrate how vulnerable they are likely to be when people play on their sympathy giving real life examples wherever possible. Set up some role playing so that people can “experience” what it might be like to be fooled by a social engineer. Explain the reasons for processes such as wearing visitor’s badges or having locked doors. Tell people how trust can be abused and people will be able to defend themselves against the abusers.
Use technical defences. Make it hard for your employees to let an intruder do damage by making it hard for them give the intruder access. Lock doors of server rooms. Restrict online access to confidential documents.
Motivate people to trust appropriately. Discourage people from working round the rules. For instance, you can let people know they are being monitored near security doors. This can and should be done in a socially acceptable way. Notices that say “Smile – you are on camera” or public screens showing some security video streams can get the message across in an unthreatening way.
Give people permission to be “unhelpful”. If you give people public and visible permission to act in ways that they feel might be socially difficult you will make it a lot easier for them to be untrusting. You may have seen notices in your GP surgery advising you that, if you ask your doctor for certain medicine such as antibiotics for a cold, you are likely to be refused. This helps the doctor to refuse you. Help your colleagues to blame “the system” when they need to, so that a possible intruder can't try to blame them. (“Computer says no” isn't always a bad response!)
Turn unhelpful into helpful. For example, don’t tell your staff to “challenge” a stranger without a visitor’s badge. Tell them to “offer help”, by getting them a visitor’s badge so that “people won’t keep on coming up and disturbing you”.
Develop a culture of “appropriate trust”. The culture of an organisation will be part of what influences whether people display inappropriate trust. If there is an aggressive management culture people are likely to avoid doing things that may anger managers. They may, for example, give information to a stranger over the telephone if the stranger threatens to “tell the boss” if they don’t. Make it easy for people to make the right decisions about who to trust without feeling they will suffer for it.
Trust is always going to be a problem for security professionals. There probably isn’t much you can do to manage “greedy” trust or even “careless” trust. But there is a great deal you can do to enable your colleagues to confine their trust to situations where it is safe to trust or people who are safe to trust.
Of course there are many other techniques that criminals can use to steal confidential information. But manage trust and you will have closed off one of the biggest doorways into your organisation that hackers use.
How do you manage trust in your organisation? Let us know so that we can share your tips with other TEISS readers.
Image under licence from iStockPhoto.co.uk, credit peopleimages