The events that transpired this week in the US are sad and depressing to say the least, but criticizing people for forgetting to lock a computer in such a situation isn't a wise move. Life preservation takes precedence over security policies, full stop.
I saw so many people going off the rails on Twitter because some people forgot to lock their computers when they were instructed to evacuate the US Capital building during the recent unfortunate, disappointing, and totally unsurprising events.
Let me start by saying what should be -and probably is- common-sense opinion for most security professionals:
It's okay if you forgot to lock your computer while evacuating during a life-threatening situation. I can think of very few situations* that can justify putting yourself in harms way to comply with a security policy and the situation this week isn't one of them.
If your organization deals with confidential information and their entire security model hinges on you locking your computer during a serious event where you fear for your life, then your organization has already failed to build proper security architecture and controls.
That being said, just because you are forgiven in serious situations doesn't mean you get a blank card to ignore this policy in normal times. You should make sure your computer is locked whenever you aren't sitting on it. Facing consequences for not doing that during normal times is absolutely normal and expected, so don't mix the two situations.
If you are a security professional, telling someone who was busy trying to stay safe and alive that they failed because they didn't perform one small action is a really shitty thing to do and reflects badly on your understanding of prioritization, risk management, and threat modelling.
Organizations can do so many things to reduce the impact of someone forgetting to lock their computer, let me list a few of these possible controls:
- Automatic computer lock after five minutes.
- Strict data classification and ensuring sensitive data is never on easily accessible machines.
- Remote locks where an administrator gets to lock everything from a far away control centre or office.
- Hell, even a physical card login that automatically locks the machine once the card is removed.
- Shutting off the power to all computers when facing a serious threat
- Even better, have proper physical security that prevents people from storming your office and reaching these machines in the first place.
The events that transpired this week in the US are sad and depressing to say the least, but criticizing people for forgetting to lock a computer in such a situation just adds salt to the injury and paints a not-so-good image of the security professionals which can make our already hard jobs even harder.