People will always be the weakest link in security.

Yesterday morning I stopped in the local Starbucks to get some coffee. I noticed when I arrived a customer that was unpacking a laptop bag and getting situated. While I was waiting in line after ordering my drink, the same customer passed me heading into the restroom. After I got my coffee I started to head out the door. I noticed that the customer had booted their laptop and had a Citrix session running with Outlook open. I looked around and realized that the customer was still in the restroom. I decided to take a few minutes and sit down across the room and observe. I noticed that the laptop had a 3G data card plugged in, so I am guessing that was the data connection the customer was using, not the WiFi hotspot.

Lets evaluate the situation. We have a company that's IT people need to provide remote access to its users. They want to keep full control of their data, so they go the thin-client route and use Citrix. They also must provide the 3G card I am guessing as well. But after all that a user boots the laptop, I'm guessing VPNs into the company, authenticates through the thin-client, launches Outlook and then takes a health break without locking the system.



I won't even go into the part about the laptop just sitting untethered on the table. That is just a whole other issue. I am really hopeing that all the sensitive and private data in on the thin-client side and not on the local laptop. Sometimes I get tunnel vision on teaching best practices and awareness about security. All the different technology we can use and policies created to reduce risk, and then you through a user into the mix and its all for not.

I know that many of you will see the same thing sometime today but what is the fix? The customer I observed, after they did come back 15 minutes later, had a Realtor lapel pin. I don't think keeping that user nailed down to a workstation in a secure building is an option. I would like to hear your stories, in the comments, on how best efforts were made in the name of security and a user killed it all without any thought. I would also like to hear solutions to fix problems like this. I think setting the screen saver to turn on after 60 seconds with authentication enabled would be a good start but not sure how the user would feel about that. :P

P.S. This isn't just a user issue. I have seen an Administrator spend 30 minutes climbing through security and authentication, only to walk out of sight of their laptops to get a soda refill, without locking their laptop. This is truley a people problem not a non-technical user problem.