Raj Samani is the vice-president of corporate
relations at ISSA UK
Every year a new technology is heralded as the saviour
for organisations in their eternal
struggle for ensuring compliance and mitigating all (or most)
risk.
This all comes from a friendly graphical user interface, with
the only proviso being that the organisation spends a great deal of
money on licensing, implementation and, of course, the not-so-free
technical support.
However, as has been the information security mantra, security
is only as strong as the weakest link, and this is, invariably, the
user.
Implementing technical controls in any environment will always
have the potential for mitigating a degree of risk however, the
issue is that overly helpful employees are circumventing these
controls.
We are constantly reminded of examples where enthusiasm or plain
stupidity are the root cause of major security breaches - from a
simple gesture such as leaving the door open, to putting off a
security patch until after the weekend.
Not-so-secret passwords
This is illustrated clearly in a survey carried out by
organisers of
the Infosecurity Europe conference. Commuters at London train
stations were asked for their passwords and 40% responded
immediately with the information.
A further 22% gave out their password under further questioning
- although the survey did include the incentive of free
chocolate.
The answer could be to implement at the very least two-factor
authentication, which would mean that without, for example, a
physical token, having a password or Pin alone would be of little
use in gaining access.
However, even this has the potential for being bypassed:
socially engineering an overly helpful helpdesk employee into
providing a backdoor is possible, and was actually depicted in
Kevin Mitnick's book, Art Of Deception.
Make the message heard
Technical controls certainly have a relevant role in information
security, but all forms of controls are liable to fail unless the
organisation has a
clearly-written regularly-voiced policy that is communicated in
a language that the employees will understand.
Simply having someone write a booklet or stand up for five
minutes during an employee induction is woefully inadequate.
Likewise, one e-mail to state that the policy "is on the intranet"
is insufficient. Look at the areas where policies should be in
place at your organisation and ask yourself these questions:
- Do we have one?
- Were they easy to find?
- Do I understand them and, more importantly, will the
receptionist?
- Are the penalties sufficient deterrents?
Getting a yes to these questions is only the first step in
implementing the human firewall, but it lays the foundation. The
message on security must be communicated in a consistent and
measurable way.
Most importantly, though, it must be a message that is regularly
communicated to both permanent and contract employees.
Have your say
Do you agree with Raj Samani's views? If you have an opinion about
this or any article in Computer Weekly, e-mail
computer.weekly@rbi.c.uk
Managers’ lax e-mail use is ‘putting security at risk'
>>
Make e-mail work for you >>
E-mail Security School >>
Tony Collins'
IT projects blog >>
Comment on this article: e-mail
computer.weekly@rbi.co.uk