Productive working environments and their security implications
September 2018, we headed up to Facebook, Rathbone Place, to discuss the potential for consulting, advising or providing security solutions. Here's a brief run down of how it works;
The truth is, we talked more about HR than we did our likelihood of advising security requirements! But as they say, every day is an opportunity for learning.
Greeted at the entrance by a very efficient, (if not all that welcoming) security officer who used his designated script, 'Are you here for a meeting or just passing by?', a less-than-subtle hint that viewings at Facebook are strictly by appointment only. I'm struck by the lack of 'Facebook' around. No great big signs letting us know we were in the right place. No vast oil painting of Mark Zuckerberg. Not even a great big thumbs-up, a simple gesture now synonymous with Facebook and its 'Like' function. The only thing which confirms to us that we're in the home of social is the blue uniform of the man checking that we're supposed to be there. Are you here for a meeting or just passing by
Luckily for us, we're meeting a contact in facilities management. Signing in using one of the many iPads in reception (see cover photo), we say who we are and who we're there to see, we sign the luggage disclaimer for our bags and have our visitor passes printed by the lady at reception who checks our driving licenses to make sure we haven't driven here illegally. Either that or she wants to make sure we are who we say we are, who knows? Passes printed, we take a perch on the world's biggest and most comfortable sofa, before being offered drinks by one of many building concierge staff.
And we're in. Our guy picks us up and we are allowed through the glass access gates, in to the home of social. Everyone is dressed very relaxed, we're the only people with jackets. Personally I've never felt out of place for being overdressed before, but I think I can handle it. The other thing that strikes me immediately is the average age of people in the building. I guess it makes sense, social media is predominantly a world made for and by young people. Millenials, even. So we're now not only overdressed but incredibly old, being in our early thirties. A quick tour of the building with its open plan offices, desks with attached treadmills, solo Skype pods for people to chat internationally with San Francisco, Berlin, wherever they want. The whole environment is laissez-faire, not dissimilar to the layout in the Owen Wilson and Vince Vaughan film, 'The Internship', a brilliantly funny advertising campaign, (sorry - film), about life at Google.
It's lunch time - I can't deny the meeting has been timed deliberately. For those who've heard the rumours, yes all the food is free. Vast IKEA-style multi-offering restaurants on every floor. Sweets being dispensed pick-and-mix style, doughnut bars, ice cream bars...pastries too. We grab some Brazilian prawn curry and get chatting security. One thing I notice is that, despite the relaxed and open culture here, there are at least eight security cameras in this one restaurant alone. There have been none visible elsewhere in the building, and these are very overt. I'm told these are predominantly for when events and seminars are held in these locations, but the sceptic in me reckons it's making sure I don't overload on doughnuts. I manage anyway.
Security talks prove disappointing. Facebook has never, and is therefore unlikely to ever, outsourced any security provisions, and chooses instead to run security in house, centrally controlled from the states. More on that later.
Meeting over, pose for a photo with a 6'5'' Michelangelo Ninja Turtle (Life's too short to be serious, correct?) and we arrange to meet up again in a month or so to explore introductions to some international property managers based in London, 'Never leave empty handed', wander back out to reception, passes handed back to the desk staff and off for a debrief.
So what did we learn? I alluded to it being more about HR, and technically it is, but how does the HR element at Facebook link with our security knowledge? Well for a start, security doesn't begin by looking outwards. 'Theft by an employee' is a phrase all too well known to any street-cop. Shoplifters are the least of a shop's problems if staff in the organisation lack the culture to not bite the hand that feeds them. From what we could see, access to the building could be gained by anyone such as ourselves with even a casual link with a Facebook employee. Disgruntled employee annoyed at criticisms by management brings in someone with malicious intent, a Trojan horse in 21st century terms. Perhaps Tom from MySpace is making a comeback? Who knows, and maybe Facebook is safe from corruption because it's so nice to its employees, but from the perspective of an organisation built on assessing risk, Facebook would do well to consider not only their physical security at entry but movements within the building. Our intentions were genuine, but had they not been so then I'm certain we could have caused issues, if only minor and temporary.
I don't think we could ever class our visit as a genuine penetration test - our actions and intentions were genuine therefore our body language aided our entry to the building, we had genuine cause to be there to meet a genuine contact; but the vetting was basic. Two nondescript guys walked in to meet one of many members of staff, provided basic and easily forgeable ID and subsequently had almost free run of the building, including access to a roof garden, (great views, by the way), bags over shoulders the whole time, phones out and able to record whatever we wanted.
Facebook had a break-in in early 2017 where two YouTubers gained access relatively easily and were able to roam the corridors with ease. So while the relaxed attitude to work is, by all accounts, nothing short of miraculous, it leaves enormous vulnerability in so much as nobody from the outside ever stands out (except if they wear suits and/or are likely to be of child bearing age, as discussed above). International security staff are on the look out for lookalikes of film bad guys, shifty body language and bags with 'swag' on the side. Nobody suspects the 23-year-old guy dressed in jeans and a t-shirt with a thumbs up on it.
So what's more important, being so nice to the staff that they work like nobody could ever anticipate, or losing some of that in favour of tighter security? As a man hooked on risk management I'd be inclined to lean towards the latter, however there may be a middle ground where not just Facebook but any company could do with having an objective eye cast over their set up. In my experience, large security companies focus on the likes of corporate espionage, Chinese and Russian hackers, international election fixing and the like, therefore tend to overlook the gaping physical security failings which leads to the YouTuber-style break ins. Crime and its methods vary from country to country, city to city, postcode to postcode, and there's nothing like local knowledge to keep local bad-guys at bay.
Luke Brice - Director Blue Line Security Services Ltd