Delegates at the City IT and IT Security Forum on the Aurora cruise ship last week discussed, among other things, whether too much security can be onerous for their companies.
One delegate spoke of the impact on his business of extensive encryption demands by Visa and MasterCard. "We now have an industry of encryption key management. We have three million transactions a day to encrypt. I have had to create a whole department responsible for encryption key management."
[But some delegates said that chip and pin technology is still inherently insecure. One retailer is seeking from suppliers a "Geiger counter" which detects Bluetooth or other radiation from chip-and-pin machines.]
A delegate who works for a High Street bank said that compromises in security are sometimes necessary. He said that banning the use of USB memory sticks in desktops and laptops, for example, can be counter-productive:
"If you completely lock these things down, and you are doing business on the road, and you cannot access the USB, it means you cannot back up information or share it. That's a problem."
He added:
"You can get obsessive with risk and encryption." He said that the banking policies discouraged the mention of account numbers in unencrypted emails - but he asked whether they were they any safer in the post which was in any case more costly. "We cannot possibly encrypt all of our data on all of our clients."
Even when minimum standards of security are required for regulatory reasons, there may be scope for compromise, said the bank representative.
"In my experience, compliance people will always take the most negative view but I argue with them. I say: 'That's your interpretation, but we could interpret it in a different way.' Most of these regulations are not tested in law. Are we wrong to take a lesser approach?"
Several delegates said that an alternative to onerous security restrictions was instilling in staff and executives an understanding of company policy. If they then flouted company policy, they knew the risks they were taking.
Richard Hackworth, former Chief Information Security Officer at HSBC, said that if company employees are notified when their questionable activities have been detected, they will "know that somebody is looking" and so will be more careful.
Hackworth said that difficulties for IT security professionals are increasing . In recent years there has been little progress on solutions but technical problems are increasing while there are "increasing external expectations on what we are able to do".
Links:
Too much security can be overbearing - Microsoft
Ross Anderson paper on chip and pin security - University of Cambridge, Feb 2008
