I usually work from home but with my mother in law visiting us for 3 weeks I decided I would go to our office in Montreal during that time. Not that I don't like my mother in law (Josy, if you read this ...) but working from home requires somewhat of a quiet environment (at least for me) and I couldn't picture myself telling my wife and her mother to keep quiet for 3 weeks.
I arrived pretty early this morning (7:20, I like to work in the morning), but realized that I had forgotten my access card at home. I went to the security desk and asked the guard if he could come with me and open up the door to the office. Not being the first time that I forgot my card, I had done this little maneuver a couple of times in the past without trouble.
This guard I had never met before, and it was obvious he was from one of these 3rd party security company hired by the buildings to keep watch on the premises at night (not that there's anything wrong with that). Of course, being a new guy and not having seen me around before, he was, understandably, a little suspicious.
I told him who I was and that he should have my name on file but he decided not to take any chance and to call his boss. After a short exchange in russian with this superior, he turned back to me and told me he couldn't let me go up there because they didn't have an authorization from our office manager (not that he had checked anything by the way).
I then asked him if he wanted me to call the office manager for our company to reassure him that it was OK to let me enter, to which he agreed. I called the person who I knew was identified as the office manager (in the meantime he was battling with the computer to find the same information) and let him talk to the guard. The guard asked him for his name and put it on a piece of paper.
After the conversation was over, he escorted me up and opened the door of the office where I'm now sipping my coffee while I'm writing this.
This incident was interesting because it contained a number of basic security lessons:
- Someone who's tired shouldn't be trusted with security duties. Same goes to someone who can't stand a bit of pressure.
- Never assume the identity of anyone, at least do some dues diligence and ask for an ID (I had to insist for him to write down my driver's license # and check my name against an official ID).
- If there is a security procedure to be done (like calling the office manager to check my access), don't let the same person that you're trying to authenticate do it for you. Multi factor authentication only works when each authentication step is performed independently and does not assume anything about the previous one.
- Don't just parrot your security mantras ("we're not authorized to let you go up because we have no approval from your office manager"), if you're not ready to meet some resistance and argue. Not everyone is going to take "no" for an answer. Be prepared and have the right arguments (such as: we need a 'written' approval from your manager)
As we climbed up the elevator, I told him: "You realize that I could have fooled you easily. On one hand you want to show you have a hard stance on security by not opening office to people, which I think is a good thing, but on the other hand a little bit of pressure and seemingly truthful information and you and I are now riding this elevator. I could have lied to you on everything and connect you to a friend of mine on the phone. If I had not insisted for you to look at my ID and write down the number, you wouldn't have any trace of me."
And his answer was: "Yes, I realize that, but you know, I have to show my management that I did something to check, even if it's useless. That way I won't be blamed if something happen."
Checkmate.
