April 8, 2019

What the breach at Trump’s Mar-a-Lago resort tells us about the need for a culture of security awareness


Odd and awkward incidents seem to follow the current US President, but the recent hack attempt at Trump’s Mar-A-Lago resort in Florida is instructive for what it tells us about the organisational impact of indifference and inconsistent policies on cyber security.

While the President was on the golf course, an unauthorised Chinese national apparently blagged her way through security checkpoints and gained access to the Mar-a-Lago estate – the ‘Winter White House’ — which is frequently used for official government business. She was eventually questioned by the US Secret Service who a found in her possession of a memory stick holding malicious malware, a laptop, a device that looked like an external hard drive, and four mobile phones.

Had more time passed the uninvited guest might have been able to watch the President meeting with resort residents and government officials — maybe even getting close enough to take a selfie.

What loss or damage could have been inflicted is open to speculation. The fact that she could talk her way so far inside the resort’s security perimeter points to larger failings, with perhaps the biggest being an apparent indifference to cyber security concerns at the top of the White House hierarchy.

Part of a pattern

This isn’t the first time Mar-A-Lago and Trump have been in the security spotlight. While the US Secret Service locks down the property when the President is in residence, the Mar-a-Lago remains a private club with broad access given to members, guests and other individuals attending events – allowing them to wander freely even when the US Commander In Chief is about. The president’s private quarters are inaccessible to guests – but apparently sit just a few feet away from the resort’s public areas.

Charged with keeping the president and key US government assets safe from harm, the Secret Service regularly expresses concern about security arrangements at the semi-public facility. Mar-a-Lago staff have some security responsibility and control over access to the club by private groups hosting events. The Secret Service is mainly responsible for screening guests for weapons or other banned items, versus the comprehensive profiling and surveillance they undertake for other venues.

As for Trump himself, the president shows little concern for privacy or security when visiting officials stay at the report.

In early 2017 when North Korea conducted a missile test, club members and their guests were able to observe as Trump and the Japanese Prime Minister discussed with aides how they should respond to the event – while dining together on the club’s outdoor patio. As widely reported at the time, advisors turned on their mobile phone torches to light documents on the table between the two leaders, raising obvious security concerns.

All of this strongly suggests that a culture of security disdain reigns in the current white house. Whether he intends it or not, the top man or woman sets the tone for the rest of the organisation. On paper, security policies and procedures may be well defined and stringent, but if senior leadership is allowed to bend the rules, it sends a signal to others that impunity trumps (sorry) shared responsibility.

Where security policies only apply selectively, or aren’t considered important by the people in charge of setting or approving them, a behavioural pattern is set that other people further down the company hierarchy might well emulate.

How to connect the cyber security dots

Many organisations have more than one physical facility where employees conduct business. There can be disconnects in terms of systems, procedures, or levels of security awareness from one building or department to another. Organisations of all sizes have to deal with the insider threat– the inadvertent or careless behaviour by an individual that opens the door to a security breach,

One of the key ways to overcome these issues and ensure a joined-up security regimen across the organisation is to create a shared culture of security awareness.

With cyberattacks are on the rise around the world, promoting a culture of cyber-security awareness is more important than ever. Attacks are they increasing in scale and complexity. Cyber-crime is expected to cost the world about $6 trillion by 2021—exponentially greater than the damage caused by natural disasters.

People—not just tools—are essential to your company’s cyber health, and helping employees raise their own level of security awareness is an excellent way to start strengthening your defences. By conducting regular security training, you can encourage your people to change their behaviour and commit to it. 

Let’s talk

Want to learn more about empowering your employees’ security defences?  Why not sign up for a free demo and find out how we’re already helping organisations just like yours.

Share this: