Tuesday, November 1, 2011

Procedural Problem

A security guard at the entrance to an organization that I know of, is expected to check each individual’s bag while that person leaves the premises. The checking is done in order to deter people from stealing things from the premises.

Now, if the firm is engaged in the business of software services, the only “thing” of value that an employee can probably steal on her way out is electronic data/ software/ source code. So the security guard has been given strict instructions to check for electronic data storage devices that are easily visible – CD/DVDs, USB data sticks and Mass storage devices.

Most organizations in India employ the services of a third party contractor for security services. This means that the security guard at the entrance, is a low-paid not-so-techno-savvy individual. As taught in the rule book, she routinely and religiously checks for the artefacts that I mentioned above. And since she is a low-paid employee – she dares not to question the senior management of the company on their way out.

This to me, looks like an elaborate security theatre. The numerous obvious flaws in the system are laughable. Here is a simple list that I could conjure, but I am sure an evil minded civilian can probably come up with a lot more:

  • An average smartphone these days has an internal memory of 16 GB. However, phones are still assumed to be only used to make phone calls
  • Memory cards, data cards, and other esoteric looking data storage devices do not raise a suspicion
  • The average employee that is checked is always the low level employee. The worst offense that she can do probably is take her own code home. This offense is less damaging to the organization than the senior management employee leaking confidential financial and or strategy numbers to the competitors
  • Company laptops are not considered as mass storage devices. So you can easily carry GBs of data home through them and you will not be questioned. Mind you – all employees are Administrators of their laptops and can easily transfer data out of them

All said and done, we still go through the same mindless routine everyday. And this routine is not just restricted to this organization. An average person with a car, going to a mall or an public place in India is faced with a similar ordeal. Private security guards at parking lot entrances will make you open your car’s boot to check for explosive devices.

Without questioning their competence at detecting bombs “visually” (I am sure that's a herculean feat) I still have not figured out what they actually look for. I have had suitcases, boxes and other potentially suspicious articles in my boot, and have been let off without ever being questioned. And the explosives in the boot concept is so strictly followed that you can have anything else looking fairly suspicious anywhere else in your car, and the security guard wont be alarmed. This fairly useless routine has already been gamed once and we still continue going through it. My car has been through the atrocities so many times, that these days my boot’s pneumatic pistons (that hold it open) refuse to operate.

I am no security expert, but I am sure there are better ways to handle such threats. I would love to quote Bruce Schneier here – “And if I were investing in security, I would invest in intelligence and investigation. The best time to combat terrorism is before the terrorist tries to get on an airplane”.

No comments:

Post a Comment