Inverifi logo

ISO 27001 Controls: Lock Your Computer

The importance of locking your laptop - and not having to do the dishes

ISO 27001 Controls Illustration

One important practice of operational security is to ensure that your computer is secure before you leave it unattended. In other words, lock your laptop. This is covered by ISO 27001 control A.11.2.8 

 

If a malicious actor gets their hands on your computer, you don’t want them to be able to steal your data, or impersonate you through your online accounts.

Malicious Actors

Here’s something that may surprise you about Inverifi and its sister companies: Malicious actors roam our offices every day.

 

I myself have acted maliciously. I’ve roamed our offices, hunting down weaknesses in our security, and jumped at the opportunity to exploit any weaknesses I have found.

 

I’ve done it all: I’ve impersonated a board member on our internal intranet; I’ve plugged a malicious USB device into a company computer; I’ve even stolen customer devices, with highly sensitive data on them.

 

Each subsidiary of Inv Group. is trusted by its customers to handle their sensitive data. With that in mind, why would the group company want to keep malicious actors like me around? Why do I still have a job?

Dishing

All the malicious actions that I, and many other employees, have done, are known within the group company as dishing, after the traditional punishment given to the victims of this practice: washing the dishes.

 

These days, our offices have dishwashers, so the traditional punishment has mostly died out. Still, the name has stuck. There is also a sense of humiliation that comes with it; nobody wants to get dished.

 

Dishing, in its original form, entails getting to the victim’s unlocked computer, and posting the word ‘dishes’ to one of our communication channels; typically, either our internal intranet or the company-wide group chat.

The screenshot above shows one of my favorite hits. Our CTO closed his MacBook, left it on a table, and walked off to attend a meeting. The Apple logo was still glowing.


As you can see, shortly after impersonating one of our board members on our internal intranet, I decided to taunt another board member in the comments.


These days, dishing extends to pretty much any instance of negligence that can be exploited by a malicious actor. Common examples include leaving office keys and customer devices unattended, where they can be stolen.


Each dish is logged in a record, including the victim, the perpetrator, and the nature of the security breach. Typically, at the end of the year, the one who’s been dished the most is given a penalty for our annual Christmas party.

Conclusion

On my way to our office, I walk past many other offices, where I see unlocked and unattended computers. Perhaps they don’t have policies that require them to lock their computers; perhaps they just ignore those policies.


When I get to our office, most of the time, all unattended computers are locked.


Dishing forces us to actually comply with our operational security policies. It prevents the possibility of many security breaches. Dishing works.

More blogs you might like