4

My bosses have tasked me with coming up with a kind of "friendly reminder" card that we can leave on the desks of folks where we see they've walked away without locking their workstation and we have to lock it.

Has anyone else ever had to do something like this or do you have like a template email you have to send to people? The idea is to educate without coming off as overtly punitive.

Thanks in advance!

yoozer8
  • 810
  • 2
  • 7
  • 17
BarelyCertified
  • 41
  • 2
  • 2
    A bit less mature would be to send a company-wide e-mail from the account of the offender. The idea is that the shame would aid them in remembering to secure their equipment properly. –  Mar 20 '20 at 19:18
  • 1
    Where I work, we send emails to the entire department saying "I will be bringing donuts tomorrow, what would everyone like" from the user's computer. – john doe Mar 20 '20 at 20:30
  • 2
    On my company, people that leave the computer unlocked are eligible to get back and have a card saying "Your employment has been terminated." on their desks. – ThoriumBR Mar 20 '20 at 20:59
  • 2
    In addition to this exercise, have you done anything to set up the computers so that they lock automatically after a period of inactivity ? – Kate Mar 20 '20 at 21:44
  • 1
    Where I used to work, security would come round and remove access cards from unattended machines [which automatically locked them] and if they weren't tied to the desk the whole machine was removed. Miscreants had to go cap-in-hand to ask for the confiscated item to be returned. – Andrew Leach Mar 20 '20 at 22:51
  • @Anonymous Right, security-in-depth. If an administrative policy is the only security control to keep the computer from being left unlocked... Why is it? Add another layer of security controls (ie, automatic locking) to limit the damage if the user fails. – Fire Quacker Mar 21 '20 at 16:37

3 Answers3

7

Those cards will be seen as punitive no matter how well you phrase them.

There's another way: cards for those who locked their machines!

Punishing behavior you don't want won't always mean that you will get what you do want. You might just get less of that undesired behavior (e.g. people hiding their unlocked machines or other such nonsense).

But if you reward the behavior you want then you will see more of that behavior.

Just a simple card will do, and I'd toss in a small candy or some other small reward.

Say "Thank you!", not "Ya done screwed up!"

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • 1
    A dog trainer's advice! :) +1 – Esa Jokinen Mar 22 '20 at 11:20
  • 1
    @EsaJokinen basic behavioral science. Everyone wants to know the things that are expected to do and be rewarded every once in a while for it to make sure they are still on the right track. – schroeder Mar 22 '20 at 11:51
  • I like the suggestion, but it might be hard to implement... if you have on average 5 people on your floor of 100 people who forget to lock their laptops it might be a bit much to hand out 95 thank you notes, or chocolate bars, or whatever - and repeatedly, too, as without recurring rewards the behaviour will likely not change in the long run. – fgysin Mar 23 '20 at 10:29
  • @fgysinreinstateMonica it's not true that you need to do it regularly. The surprise reward is very self-reinforcing. And I'm also not seeing the difficulty in acquiring 100 business-card sized notes and small candies .... – schroeder Mar 23 '20 at 10:33
1

One company I worked for ordered custom-made Post-it notes. Each note carried a number of security tips about locking the screen, using strong passwords, and the like. If a member of Security found an unlocked system, they'd stick a Post-it to the keyboard for the owner to find.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
-1

Some ideas:

  • On the unlocked PC write a message in your company Slack/Teams/... asking how to lock a PC?
  • https://geekprank.com/
HorstKevin
  • 1,328
  • 2
  • 14
  • 27
  • 3
    Using someone else's machine to perform actions opens you up for liability issues and security problems (attribution of actions now comes into question). Pranks like this are a bad idea. – schroeder Mar 20 '20 at 21:59