FAIL (the browser should render some flash content, not this).

The Humane Security Society
This is my site Written by matan on February 2, 2010 – 4:22 pm

“In communications, familiarity breeds apathy.”

– William Bernbach

Americans are notorious for living dangerously. From fast, expensive cars to sky-diving, speed boats to hand guns, Harley-Davidsons to BASE jumping, Americans are usually the poster boys (and girls) for risky living.

But what’s even scarier? Seventy-three percent of the population REALLY like living on the edge and use their bank password for everything. There are no public statistics for corporations, so we can only guess as to the situation there.

Indeed, one of the biggest headaches most companies face is trying to keep their systems and information secure. Further complicating the issue is the fact that the longer companies go without an incident, the more likely it is that the next “big one” is right around the corner. After a security breach, everyone gets paranoid about security—for a little while. And then the cycle starts all over again.

Yet if information security was ultimately about locking down everything in sight, it would fail. After all, how useful is information if it can’t be used? Information security is more than just keeping your information safe—it’s about engaging your users so they think securely rather than follow procedures and policies like blind automatons. It’s about moving them to comprehending why we keep information safe and how we keep it safe rather than just pedantically lecturing them over and over, and then standing over their shoulders to make sure they follow the rules. As counter-intuitive as it may seem, trusting and enabling your users will make them empowered enough to follow the rules, rather than working against them.

There’s an old cliché that the road to hell is paved with good intentions, and a few years ago, when I was working closely with a three-letter European software behemoth, I got to see this for myself. Their “Security Kaiser,” who was also a member of the executive board, instituted a new security policy where all email marked sensitive or confidential would not be accessible on Blackberries. On paper, it sounded like sound, intelligent policy. Comically, the facts that spurred this policy were simply plain wrong and unfounded — there actually wasn’t any security risk by sending the sensitive emails to the Blackberries, but paranoia prevailed over fact. Making matters worse, since many important emails were marked as sensitive or confidential, the policy resulted in a huge production slowdown and a myriad of workarounds concocted by some rather enterprising employees. Many other employees simply resorted to public webmail services, bypassing the company’s mail system (and policies) altogether – even for sensitive corporate correspondence. The end result? Lower security for the company and aggravated employees.  Hardly the recipe for a sound security policy, if you ask me.

While we joke about everything being connected by six degrees of separation, there is some truth to that statement. Everything in our cyber world is now connected, and even more intelligent and interactive than ever. Our societies are built and broken on our technologies—after all, just look what happens when we have blackouts or see the chaos that happens at airports when the FAA networks or radars go down.  While these technologies provide amazing, endless opportunities, they are the ultimate two-edged sword: those same technologies can also cripple us if used incorrectly or against us.

In some ways, these technologies provide us with the newest form of the Wild West, but instead of frontier saloons and beady-eyed villains with black hats, we’re confronted with everything from innocuous users who simply don’t know any better and make innocent mistakes, technologically savvy users, and unscrupulous cyber villains who wield keyboards like six-shooters.  And as far as these cyber villains go, they can range from the amateur hacker hanging out in his mom’s basement to the Russian or Chinese mafia engaged in cyber espionage. There is no clear profile or delineation anymore, and so it is necessary for everyone to be educated and alert in order to protect us all. The price for constant vigilance is constant education.

There are those that try to complicate this even farther, and say that to do this correctly will require bringing together the policy makers on one side and the users on another. I believe that’s simply too drastic. It can—and should—happen gradually, yet deliberately; effective, yet humanely (hence the title of this post!).

These three things need to happen in this order to get your organization’s security in check:

  1. Always be a step ahead of your worst possible enemy, imaginary or not. It’s utterly impossible to predict where, when, or how a security breach might occur and by whom. Sometimes, it’s just carelessness by your users, but sometimes it’s a targeted, well-planned, distributed attack by an international hacking mafia. Either way, when it happens, you should be well prepared, with procedures already in place—procedures that you’ve drilled already. Just like an emergency drill on an airplane, a submarine, cruise liner or a nuclear reactor, you do not want to run it the first time the actual emergency takes place. Simulate and practice. Ad nauseam.
  2. For the users, by the users, with the users—user buy-in is the magic key. If you don’t tell your users why you’re protecting them, they will protect themselves against you, and hell hath no fury like infuriated users with time on their hands. That’s not good for anyone, except your enemies.
  3. Be ever diligent and watchful. Most security breaches go undetected, particularly the successful ones. Preventing a breach is only half the battle; detecting it and handling it are just as important. Assume a breach will happen and be prepared.

Admittedly, some information security practices aren’t far off from rocket science. But that’s no excuse – most of it really is just assessing what you need and getting your users to work with you, not against you. The greatest network protection in the world won’t protect you if your users—either actively or passively—sabotage you. Proving to them that you need their help and empowering them to help you really will make your job that much easier, and lead to a much more humane security society.

Posted in  

One Response »

  1. Couldn’t resist: How apt is this?

    “Apple’s legendary impenetrable security, breached by the power of German beer and one single human mistake.”

Leave a Reply