• Training news
  • 2009 news archive
  • 2008 news archive
  • 2007 news archive
  • 2006 news archive
  • 2005 news archive
  • 2004 news archive
  • 2010
  • 2011
  • 2012

• Bookmark and share
  • Technorati favourite
  • Delicious
  • Digg
  • Reddit
  • Facebook
  • Stumble Upon

• Recent pages
  • A year with the iPhone
  • Creating valid HTML/XHTML
  • Internet Explorer 9
  • Top Firefox add-ons
  • Patch management

The two Ps of security

IT has had a tough time in terms of security, with lots of data breaches making the national headlines. But when you look at most cases, it's not technology that's failed.

20 September 2008

It seems that hardly a week goes by without a massive data breach hitting the news. Questions have even been raised in parliament.

But you don’t have to look too far to see that the problem isn’t usually with technology. It rests with ‘the two Ps of security’ – people and processes.

In fact, technology has become considerably more secure over the last few years. Despite Microsoft initially gaining a reputation for being sloppy in the security stakes, the company has bounced back with security at the top of its agenda. Windows Vista is possibly too secure – quite a bit of the negative press about Vista has been that users now have to jump through a few more hoops to use it, a direct result of locking the OS down more securely.

Internet Explorer 7 can hold its head high when it comes to security too –standing up there with the best. Microsoft is typically quick when it comes to posting security updates, and is very open about its security policies.

Yes, we are talking predominantly about Microsoft, but that’s because enterprise computing is predominantly Microsoft, though Linux and Mac OS also have great security features – even if Mac OS was the first to fall at a ‘hack the OS’ competition this year.

There are now some great security technologies – such as BitLocker, built into Windows Vista, or biometrics, which feature on a growing number of products. There may well be better security innovations around the corner, but right now, enterprise and desktop computing can be made pretty darned secure. So what’s the problem?

We are. You. Me. The person sat next to you.

People have an inherently lax attitude towards security and processes that is evident in most of the major security breaches.

We leave our computers on without logging out. We have our operating system set to login automatically, without a password. We log into secure Web sites and check the ‘remember me’ option. We choose passwords that we can easily remember – such as our children’s names. We give others our passwords. We think nothing of taking work home on an unsecure memory stick, even if it’s against the rules. Why? Because we hate inconvenience. We’re lazy and we can’t be bothered to do something in a way that takes even slightly longer.

Let’s look at a few examples. The personal data related to 25 million people went missing from the UK passport agency. The reason? Junior officials ignoring security procedures. The Department of Work and Pensions loses two discs which are (breathtakingly) unencrypted. The woman who had them just before they went missing had taken them home, but ‘forgotten to take them back’. CDs containing the entire child benefits database went missing in transit – also unencrypted and not using the prescribed, registered transit system. The list goes on – but the pattern is clear. If the CDs had been encrypted, then the risk would be vastly reduced. If processes that were in place had been followed, then the chances of them going missing would be almost none. In a world where identity theft is one of the fastest growing crimes, and the Internet is used to distribute lists of thousands of people’s personal information, no organisation can afford to be this lax.

But we’re not just lazy, we’re sneaky too.

When Internet Evolution ran a poll asking had anyone ever logged into someone else’s e-mail or social networking account without his or her knowledge, 42% of people said that they had. And if 42% are willing to admit that they had done such a thing, it wouldn’t be a surprise to find that the real number was quite a bit higher.

We may not like to admit it, but if something’s to be done about these kinds of security breaches, we’re going to have to consider the fact that the weak link in the chain is us: when it comes to security, we’re – well, rubbish.

When Apple added its Time Machine backup to Mac OS X, it created the software with one major assumption. People are useless when it comes to remembering to take a backup. The next step was to ask why – the answer was that most backup software is just too complex, and too inconvenient to use. People can’t work out what to back up, and where to back it up to. So, people being people, even if we have backup tools, we don’t use them. The answer was to take the decision making and work out of people’s hands. Time Machine therefore backs up everything, all the time, without the user thinking about it. When you want to get at an old version of something, you don’t have to enter a complex backup programme, you just enter a different view of the Finder, get your file using the interface you already know, and click restore. Job done.

And that’s the kind of approach we need with security. If data needs to be encrypted, then don’t ask a person to do it – because they won’t. Make sure that it is always encrypted. If it needs to be transported somwhere, don’t have any unsecure options available – and make the secure option easy to use. And perhaps some more draconian measures are needed, such as laptops with CD and USB disabled totally, so you can’t get around the processes in place.

Here, technology can now play a role – by putting in place systems and processes that can’t be circumnavigated, treating us like the lazy, untrustworthy people we seem to be!