Keil Hubert: We need people to buy into tighter security rules

Apple rolled out its newest iPhone last month to great fanfare. For me, the most intriguing part of Apple’s announcement was the rollout of its new electronics payment solution, dubbed Apple Pay.

Yes, Apple’s new watch is shiny and intriguing, and it was nice to get the rock band U2’s new album for free, but I felt that those segments of the programme were mildly aggravating distractions; I wanted to hear a lot more about the security controls for the contactless point-of-sale transactions system.

The first thing that appealed to me about the Apple Pay solution was the way I could apply it inside an enterprise to solve a vexing access control problem. Several years ago, I needed to find a way to keep people out of my data centres. We’d had incidents involving tool and parts theft, unauthorised server modifications and so on, we needed to restrict access to sensitive areas to the bare minimum of trusted employees – and we needed a log of who went in and out, when, so that we could correlate incidents to suspects. Recalling physical keys didn’t do enough to solve our problem, so (being the IT department) we tried leveraging technology.

We investigated installing computerised door locks that authenticated employees with their smart ID card. The combination of an RFID chip and stored PKI certificate should have significantly deterred misconduct, since each attempt to unlock the data centre doors would result in an incontrovertible log entry. Our experiments worked… somewhat.

We discovered that users were dutiful about swiping their way in to the data centre, but they wouldn’t bother swiping out when they were done. It was faster and easier for them to tap the emergency egress bar and saunter out. So, we might have a record showing that 12 different techs entering the complex on a day where something suspicious occurred… but the logging system showed that none of them ever left.

This is where I think the Apple Pay technology might come to our rescue, assuming we can apply the science of behavioural economics to slowly change employee behaviour. It shouldn’t be difficult to build a smart lock assembly that incorporates an NFC sensor from a point-of-sale terminal. When an authorised user approaches a restricted-access door, he or she authenticates their entry with a £1 transaction (like putting a coin into a pay toilet stall, but authenticated with user biometrics as well as petty cash); when the user leaves the restricted area, they authenticate the lock again from the other side, and the door lock assembly returns their deposit so that they’re not actually out of any money. If they hit the panic bar to leave, they’re out by a quid.

It’s a very small amount of economic pressure, but that pressure builds up over time. Every person has a different pain threshold; that point where a drain of cash from their pay packet transitions from being immaterial to annoying. The act of holding back deposits slowly conditions users to authenticate the restricted access door again on their way out because they want to get their money back. By conditioning users to interact with every door both ways, every time, we can gradually (but significantly!) increases the accuracy of entry and egress logging.

I realise that using paid access to a workspace might be considered crass, but the key to the initiative is to compel employees to change their behaviour in order to consistently comply with important security protocols. Voluntary compliance actually costs the employee nothing. You could even incentivise compliance with double refunds every 100th consecutive validated exit.

keil.hubert@gmail.com

Keil Hubert

Keil Hubert

POC is Keil Hubert, keil.hubert@gmail.com Follow him on Twitter at @keilhubert. You can buy his books on IT leadership, IT interviewing, horrible bosses and understanding workplace culture at the Amazon Kindle Store. Keil Hubert is the head of Security Training and Awareness for OCC, the world’s largest equity derivatives clearing organization, headquartered in Chicago, Illinois. Prior to joining OCC, Keil has been a U.S. Army medical IT officer, a U.S.A.F. Cyberspace Operations officer, a small businessman, an author, and several different variations of commercial sector IT consultant. Keil deconstructed a cybersecurity breach in his presentation at TEISS 2014, and has served as Business Reporter’s resident U.S. ‘blogger since 2012. His books on applied leadership, business culture, and talent management are available on Amazon.com. Keil is based out of Dallas, Texas.

© Business Reporter 2021

Top Articles

The American View: What’s Good for the Goose Can Sometimes Corrupt the Goslings

The myth that good workers spontaneously turn malicious hinders serious efforts to detect, deter, and interdict potential insider threats. Leaders…

Podcast series: why you need Instnt for managed customer onboarding

Sunil Madhu, founder and CEO of Instnt, had the opportunity to share his experience and perspectives on the financial services…

Why perpetual KYC is the future of due diligence

Traditionally, Know Your Customer (KYC) has provided a framework by which organisations can carry out due diligence.

Related Articles

Register for our newsletter