In case you didn’t know, we’re just through the annual agony that is the Infosec show. It’s great being a journalist; you fetch up at a trade show, they look pleased to see you then realise you’re writing about stuff rather than spending money and their eyes sort of glaze over.
No matter – liking journalists isn’t a prerequisite for doing business. Something that definitely is necessary, though, is some basic discipline – and it’s here, not in the technological security arena, that I believe most ‘security’ efforts fall over.
Consider this. Someone gets annoyed by Windows installing things in the background. They just want to use it and forget it – so they turn the autoupdate function off. Within months, maybe weeks, they’re going to have a less secure version of Windows running, not because the product isn’t world class but because they’ve switched an element of its protection off. Autoupdate will insulate you from known security issues with the system, it’s why it’s there. Is getting staff to keep that switched on technical or managerial? My vote would go for ‘managerial’, very easily.
You can actually get right away from computers to find some more security howlers. No, I mean literally walk away from the computer to a printer, get your printout of a secure document – and leave it on a train. Or hold it, as happened recently to the police, so that it’s readable in a photograph. Or leave it in a hotel lobby while you nip to the loo. People have done all of these things in documented, accurate cases.
You’ll note that in these instances you can’t really blame the technology. It’s simple human error. As was the occasion on which I was freelancing at someone’s desk in a publishing company and needed to find something out from their database, so for the password I tried p-a-s-s-w-o-r-d for a laugh – and it worked. As it is every time someone forgets to switch their screen off when they move away from their desk and the information gets swiped.
It would of course be difficult, devoting a trade show to improving people’s practices and their awareness of the sort of victories they’re handing data thieves on a plate. But I’m increasingly convinced that, and some training in just why software behaves in certain ways by default, is what’s needed.
This is a guest-post from Guy Clapperton, a freelance journalist who has specialised in the small business arena for over a decade.