I belong to a gym, one of those upscale suburban type gyms that always has fresh lemon-cranberry infused water and a healthy serving of bionically endowed 40-somethings traipsing about in designer gym wear. Many local athletes and celebrities frequent the place and by sheer coincidence the Warriors cheer leading squad holds practice and try-outs the exact same dates and times I usually work out. Recently there have been a series of locker break-ins, petty stuff – couple hundred here, some smelly socks there, nothing major but what has surprised me is that they haven’t publicized it to their clients. I happened to find out by overhearing a conversation between one of the staff and a client who was asking why the gym doors were missing on several lockers. It has happened a couple of times since then and the Gym has still not said anything publicaly.
So what does any of this have to do with Security?
Well I have been fairly vocal about the ineffectiveness of most security awareness training efforts and although it is important to make people aware of threats and risk it usually does little good since people are people and people do stupid things – how many times have you heard “I knew as soon as I clicked on it I probably shouldn’t have”. Even when folks do perform awareness training stupid things still happen (here), but an organization does have a responsibility to inform their customers (whether they be internal customers consuming IT services, or in the case of the Gym folks using the facilities) of potential threats or a change in the threats so they can weigh the risk associated with certain actions. In the case of the Gym thefts the threat is some jackass deciding they are going to break in to lockers which could result loss of personal items, folks can then weigh the risk of losing their items with the convenience of carrying them in to the Gym.
I talked to the manager about this and was assured that they were absolutely planning on either personally calling every member or distributing fliers but to date, and it has been about a week, they have done nothing. I will probably go make a scene. I can imagine that they are cautious about talking about the thefts as it makes them look bad and although I think they have “we are not liable for loss, theft, or damage” disclaimers there may be other legal ramifications they are worried about. Either way it is reprehensible that they would knowingly withhold this information since it robs people of the ability to think about the risk of loss and make a different decision, I stopped bringing my wallet into the Gym and I keep my car keys in my pocket in case my locker is broken into and the thief figures out which car is mine, but others may not think to do this. In this case security awareness is the appropriate response and should have been done quickly.