Several years ago I was talking with a good friend of mine about a physical security issue that was directly related to a cybersecurity issue I was working on. It had to do with certain people within an organization who were responsible for critical and sensitive data. These people at this client company were difficult to change and get them following correct cybersecurity policies and procedures. They seemed to be complying but problems kept on happening anyway.
So when talking to my friend who is a police chief he said very simply. “Put fake cameras on them.” I looked at him bewildered and did not understand what he was talking about. He said, “it works great, we have done it many times.”
I work in the business world and cameras and surveillance are a touchy subject with most businesses, and industries. He then told me that they were having problems on the school buses with the older kids and assault and the bus drivers did not really have a good handle on it. So they installed cameras on one bus and the kids immediately quieted down.
Then they put cameras that were not working on other buses and had the same result. It was like night and day. The kids knew the camera was a serious threat to their ability to get away with their misbehaving. So they calmed down. I have actually written about this here.
Not Feasible For Business
But I cannot put cameras fake or real everywhere, it would be too expensive let alone the chilling effect it would have with people working there. So we devised a separate strategy. We decided to start implementing a system of watching the watcher. Essentially create an environment where people within the company are asked to actively be on the lookout for unusual or unsecure activity. It worked fabulously.
Unsecure activity went down immediately. Efficiency went up and there was no blowback from the employees. The key to the success is to make it non-threatening it is only your employees looking out for a potential problem. Not a way to get people in trouble. There is no retaliatory element to it unless there is someone committing a crime or blatantly violating company policy. But for the most part, it is a way for employees to be your eyes and ears in all of the places your IT people or your cybersecurity staff cannot be. I recommend implementing a watch the watcher policy immediately at your companies. It works extremely well if set up correctly.