The Problem with Security Workarounds

Never underestimate the ease at which people will find workarounds to circumvent solutions that are put in place for their security. When my son first started to walk, we fitted childproof locks in the kitchen to the cupboards and drawers. They were effective for about three days, after which he worked out how to open the cupboards, making most of the changes pointless.

The fact is that if you put obstacles in front of people, some of them will somehow find a way around them, not because they are trying to be malicious or obstinate, but in their eyes, you are just slowing them down and they just want to be efficient. Whether it is a corporate security control or parental control feature, they are often limited in scope and rely on certain conditions. By changing the conditions even slightly, often the control can be bypassed in many cases via a simple workaround.

For instance, firewall and router based internet controls only work if that is the internet connection being used. For many, it is simply a case of making a hotspot from a smartphone and connecting their computer to it via WiFi for a simple and effective bypass of all the clever filtering and security features. It is not uncommon in a strong mobile signal area, to be able to achieve a faster internet connection by tethering to a personal mobile, compared to the shared official connection.

Browser based security controls via extensions or apps similarly only work if it is installed on every browser and cannot be turned off (albeit temporarily) by the user. I once saw a store manager use a Windows based payment terminal to access the internet, despite no web browser being installed. They simply opened the built-in basic web browser that is part of HTML help. At first glance the web browser doesn’t work, but a subtle menu option allows you to enter a destination web address. Another workaround is for the user to install a new browser or use a portable app version of a web browser, though this may not always work.

Email filtering solutions that scan and restrict certain types of attachments often have a file size limit or cannot scan password protected compressed files like zip files, after which there is often an option to bypass the scan and just download the file(s). The same applies to web filters, where exceeding the size limit allows an effective bypass option. File transfer services like WeTransfer can also be used to easily bypass email size and filtering restrictions. Online remote access software like TeamViewer has for nearly two decades allowed users to share their computer with someone else anywhere in the world or take control of another computer. What set TeamViewer apart was not only was it free for personal use (which is just a tick box), but more importantly you could select run only (one time use) as an option in the installer, so it just ran in memory without needing to be installed. The result is a quick workaround to bypass firewall rules (no VPN required), with additional features like direct file transfers and unattended access. Copying work documents to a personal online storage service like Google Drive or OneDrive in order to carry on working on the documents over the weekend is another common workaround. Once online, collaboration features like shared multiple editors also become available, regardless of whether the people invited to edit belong to the organisation or have the required permissions, allowing a quick second opinion from a trusted friend or family member. Backups to personal online accounts means that losing a USB memory stick with a key presentation is no longer a major problem. In fact, having a copy of everything you’ve ever worked on seems like a good idea, for so many reasons, and if it looks like it will take too long to upload, a cheap memory will have it sorted in a few minutes.

For the end users, all these workarounds seem to be a win-win for them. Unfortunately, the end result of constantly implementing workarounds is that the various safety nets of logs, audits, filters and security controls are not available when things go wrong. When you need to prove that something was sent or received, recover via a backup or roll back to an earlier revision of a file, but it is no longer on systems under your organisation’s control. Version control issues can also quickly creep in when colleagues update the official document, while additional changes have been made to your own working version stored elsewhere.

Data protection laws could also easily be broken due to workarounds, resulting in a reportable data breach to the Information Commissioner's Office (ICO). Even worse is if an unofficial remote access is compromised through password reuse and bad cyber hygiene, data can be stolen, manipulated or encrypted and held to ransom, potentially disrupting the entire organisation. Files including malware can easily be transferred and executed, as well as accessing email contacts for phishing attacks and compromising as many systems the user has access to.

So, you can see the importance of end users understanding that there could be serious implications to their workarounds. Security is a balancing act against convenience, sometimes the balance is wrong, but there may be good reasons why certain actions are blocked or hoops needed to step through. Ironically, in many cases there are official systems available to achieve the goal the workaround was for, if they were to only ask the IT department. Always ask, don’t assume and remember that free personal online systems are not the same as the paid for business equivalents, despite appearances.

For more security resources and advice, see: www.booleanlogical.com