Social Engineering, Management, and Security

A BYOD dissonance between economic imperative and loss of central control? Discontented staff susceptible to social engineering? David Harley reflects on aspects of Business Reimagined, a new book by Dave Coplin, chief envisioning officer at Microsoft UK, interivewed by Ross McGuinness in Metro.

A BYOD dissonance between economic imperative and loss of central control? Discontented staff susceptible to social engineering? David Harley reflects on aspects of Business Reimagined, a new book by Dave Coplin, chief envisioning officer at Microsoft UK, interivewed by Ross McGuinness in Metro.

On my way back from a conference in Europe recently, I picked up a copy of the freebie newspaper Metro, and brought it home to take a closer look at an article by Ross McGuinness, based on an interview with Dave Coplin, who is apparently chief envisioning officer at Microsoft UK, and was evidently discussing his new book, Business Reimagined. I haven’t read the book and probably won’t – being my own boss means that books on business management aren’t at the top of my reading list – but you can read the Metro article here. It seems that Coplin thinks that it’s a problem that we haven’t changed our thinking about the workplace as a central location. And he has a point: the open office in which so many people work still reflects some of the less attractive aspects of the Industrial Revolution, when people moved from agriculture and cottage industries to the factory system.

Not that we still employ (in the UK at any rate, as far as I know) 9-year-olds to operate dangerous machinery 12 hours a day or pay our workers in tokens instead of cash so that they have to buy overpriced goods from our own tommy shops. And IT-centric service industries don’t adapt so easily to the kind of piecework, modularization and Tayloresque task specialization that characterizes an industrial society. An open office is more flexible and allows an arguably more efficient use of space than an aggregation of corridors and smaller offices. But it also fits the needs of managers who feel the need to keep an eye (literally) on what their staff do during working hours. And, no, I’m not saying that it’s never necessary to do so, though as a manager myself I always inclined to the laissez-faire model rather than the authoritarian, at least as long as productivity expectations were maintained. But I might have felt differently working in a more industrial environment, if only because in an engineering works, measuring productivity may be a simpler process.

I’ve been mostly fortunate in the past twenty-odd years, in that most of the people I’ve worked for have been quite happy for me to work flexible hours and from home when necessary – for instance, while I was a single parent – or, more recently, as a matter of choice. The main exception was when the exceptionally hierarchical and bureaucratic public sector agency I was working for decided that senior management working primarily from home couldn’t be trusted not to slope off for a game of golf during working hours if they weren’t under the watchful eye of a manager, and that I would have to move, with or without my family, a few hundred miles to an open office in the North of England if I wanted to. I didn’t. I started working freelance as an author and editor, and have never regretted it. (Though, frankly, I think my work/life balance would be better if my working hours were still restricted to an eight-hour day regulated by clocking in and out on a time recorder, as they were until 1986). But many people don’t have the option of working from home, even where it would suit their work and life-style. (In the real world, people whose work involves a measure of flexibility and even creativity often put in longer hours working flexibly than they would punching a clock: of course, working long hours isn’t necessarily the same as working effectively.)

Let’s look at some of the statistics cited in the article, from a variety of sources (unfortunately, without backlinks, so I can’t refer you to the original sources). Coplin’s dislike of the open office is backed up by a Danish study showing that people in such environments had 62% more sick days than those working in single spaces, while a US study indicated that open-plan results in less motivated and less productive staff. For me, working at my ‘real office’ – workspace in ESET North America’s office in San Diego – is a rare chance to meet colleagues face to face, since I live and work in the UK, so my recent experience of working in a communal office probably isn’t typical of the study population, but I did find what seemed to me a reasonable summary of the advantages and disadvantages of open versus closed office plans here.

Apparently 56% of British workers hate it when colleagues email them even when they’re sitting opposite them. I confess: I never had a problem emailing (or being emailed by) someone in the same room if, for instance, I wanted to be sure there’s a record of the conversation, or if there’s no rush to deal with it,if one of us was busy on the phone, say. And that, I suppose, is one of the problems I have with the article, or Coplin’s views as reflected in the article. The statistics are kind of interesting, but some are too imprecise to be as informative as they seem.

58% of workers think technology has made them more productive, apparently, but what does that mean? I’m not sure I’ve ever had a job that didn’t involve some use of technology, though beer pumps, milk floats (yes, they do still exist) or even electronic tills are a lot different to a word processor or a programming language. I admit that I’ve no wish to go back to generating wordage on a manual typewriter, but many of us are now only able to be ‘productive’ at all through the use of information technology. Instead of material objects, we generate words, or graphics, or statistical data, and the tools we use reflect that.

What does all this have to do with security? More than you might think. I’m not just thinking about the challenges posed by BYOD, though that’s a topic we’ve addressed more than once – consider, for example, Righard Zwienenberg’s Virus Bulletin paper in 2012: BYOD: (B)rought (Y)our (O)wn (D)estruction? As Coplin suggests, there is a degree to which ‘emails and tablets have replaced memos and pads’, and there are many, many workplaces that haven’t altogether resolved the dissonance between the economic imperative (the advantage of having the worker responsible for buying, maintaining, and learning to use his/her own kit) and the near-inevitable loss of central control over the IT environment. (Not that intensive central control of the internal network and devices is always a guarantee of sound security practice, mind you.) But there are other factors. Distrust and lack of appreciation breed discontent, and discontented staff are more susceptible to certain kinds of social engineering. That’s actually a topic I explored in some detail in one of my early papers – Re-Floating the Titanic: Dealing with Social Engineering Attacks. However, in the hope that I’ve learned a thing or two about both security and human nature since 1997, I think I may come back to that topic in the near future.

[No, that isn’t my office in the UK in the picture. Though I was tempted to claim that it is. Photo by permission of Small Blue-Green World.]

David Harley
ESET Senior Research Fellow

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center