We have moved!


(pardon our dust)

Thursday, April 30, 2009

Security vs everyone

Security and ease-of-use tend to be mutually exclusive, it's said. Security is stuck in a two-front war, not only are there Bad Guys to keep out, but the authorized users will usually do almost everything possible to defeat the security measures that are intended to keep the Bad Guys out. In a sense, IT-security is generally fighting bigger battles with its customers than they are with the bad guys.

Corporate users write their login credentials down, use easy-to-guess passwords or passwords that can be cracked in fractions of a second, use the same password for everything, want unrestricted access from anywhere without any of that complicated password nonsense, install software that compromises their systems, write down login names and passwords and stick them to their laptops, leave those laptops unattended, plug in wireless access points or random modems on the network, or even just give away their passwords in the street for the asking. Seriously.

Most corporate computer users treat the IT or IT-security team as "the enemy". That's actually the word that is most commonly used when referring to them. The IT people are in a bit of a deadly bind here. The rest of the company is generally working so hard to compromise the security of the network and their desktop systems, that it can be an almost impossible chore to actually keep the bad guys out of the network. Then data gets stolen, or systems compromised anyway.

At one corporation I worked for, a company executive brought in a piece of software that wasn't licensed, and installed it on a desktop system in the warehouse. The software was made by a competitor across the street. Over the next few months, the unlicensed software (which was used for booking, labeling and invoicing deliveries and pickups of shipments) sent all of the information it handled across the street to servers at the rival company in periodic batches.

Armed with information about customers, shipments, rates and so on, the rival could offer sweeter deals and steal business away. And they did.

Business plummeted. Hundreds of thousands of dollars in regular business was lost. Of course the rogue software got removed, once it was discovered, right?

No.

The executive refused to uninstall or replace the software, because it would cost around $3,000 to replace. Also he refused to allow the firewall to be configured to prevent the data-transmissions, because that would interfere with certain conveniences demanded by the sales staff.

A solution was eventually found, but only at the cost of nearly all of the company's warehousing business. Why didn't the CTO or the IT department override him, being that it was a technology/security matter? Because he was the director in charge of them. Besides, they had their hands full, because a branch manager in another state had given another competitor dialup access to the local network and share-drives, because he "couldn't be bothered with all those email attachments."

Oh, there was far, far worse.

The thing is that when it comes to computers people want instant, they want convenient, and they want locks without keys (and ideally doors without locks - and perhaps without doors). Computers allow us to get so much done, so much faster that we want everything to be fast. Every moment typing or remembering a passphrase is an impediment - a barrier to getting the job done, or to getting out of the office at 5.

That sort of poor computer hygiene doesn't just live in the office. People's home computers, well they manage their own security for that. It's hard to find a home computer that isn't infected with something, and frequently with many somethings.

Nobody cares until they lose all their data, or their World of Warcraft gold and equipment, or their Second Life account -- and then they want to blame someone else for it. You didn't do enough to protect them.

The bad guys win more often than they lose - because we, as users, make it easy for them to win. We insist that others do all the work for us, and then we don't let them do their jobs. You don't have to become an expert in either computers or security, but if you learn just a little about how to take care of yourself, your computer and your passwords, your whole IT department can relax a little and actually allow some of the things that they're presently forced to block or prevent.

You can make things easier for you. For everyone.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.