Paranoia Rules - who can you trust with your data?

I have just received an e-mail from “The Excellent Network” on “10 Thinks you didn’t know last week” inviting me to click for actions in the coming week. If arrived just after a reference to another data breach at US supermarket chain; I decided not to trust it. I also concluded that my wife was not irrational when she declined to trust the security of our local supermarket.

A couple of days ago that the Boston Globe carried an article on a US supermarket chain (300 stores) that had discovered “software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas.”

The security expert who forward the supermarket reference to me said that the attack did not use anything new – the “story” was that the current focus on perimeter security, as opposed to “defence in depth”, means that many internal corporate networks are surprisingly vulnerable.

This morning I also received a request for a quote for the Information Security Awareness campaign that is due next month. Mine was ” Awareness has to include practical understanding on the part of politicians, directors, managers, professionals, teachers and parents as to what they can and should be doing to better protect their their voters, shareholders, staff, employees, customers, pupils and children – as well as themselves and their systems. That requires us to work together very much better than in the past.”

UK ICT users are said to be spending well over £3 billion a year on information security.

They are not getting value for money.

Until then, whose electornic identity or credentials can you trust?

And why would you wish to – unless some-one else is under-writing the risk?

Hence the ruthlessly practical forward focus of the EURIM work programmes on secure data sharing, identity management and e-crime reduction that are currently being agreed.

The lead participants are no longer interested in making or repeating recommendations. There were nearly sixty in the six papers produced during the EURIM Partnership Policing study from 2003 – 2005. There are more in teh papers since then on Secure Data Sharing And we can now see them being repeated by others – albeit often alongside proposals that we dismissed are impractical or irrelevent.

The lead participants are much more interested in identifying those who are willing to come together in partnerships to do do what is necessary to protect themselves and their customers – regardless of what others may or may not do.

That raises “interesting” issues of accountability, governance and competition which have to faced – especially if we are entering a world of privatised policing.

I am not at all sure we should copy the railway age – ISPs having their own police forces akin to those of the Victorian railway companies.

Hence my very strong personal support for the concepts behind both the Metropolitan Police and ACPO plans for for a national co-ordinating unit which brings together both public and private sector law enforcement resources and for the UK Internet Governance Forum – to bring together the broader “e-crime reduction” constituency, including groupings like the new Information Security Awarenss Forum.

However, I too am accountable, including to the membership of EURIM and look forward to working with those who are serious about taking up arms against a sea of troubles – as opposed to standing on the shore and watching the storm.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

But where's the acknowledgement for the fact that we've already been around this track at least once in the last 5 years....? We HAD the NHTCU; it was disbanded. We've HAD information security awareness initiatives and clearly they haven't been listened to in the past. What is so different now? There HAVE been data breaches in the past too - but they haven't been as exposed and obvious until recently. But those of us involved in the aforementioned, were more than aware of the level of exposure and provided the appropriate advice and guidance even though it apparently fell on deaf ears. The messages required to assist and resolve the current malaise remain the same. But 16 government reviews in this area (minimum) make the veil of suddenly taking it all so seriously somewhat laughable. It's still just a LOT of hot directionless air.

Well, along the lines of that old joke about the best oral contraceptive being "no", paranoid IT security people "just says no" to anything and everything. I've had to deal with IT department heads who thought that was the safe answer to everything risky.

However, the world doesn't work like that any more, inside or outside the corporation. In contrast to twenty, or even ten, years ago, people are now used to better computing facilities at home than they have at work and they expect the same kinds of data freedoms, even if they don't really understand the risks.

Worse, they want to import the free-wheeling habits and new tech toys they have at home to the workplace, to the alarm of the corporate IT department. The fundamental problem, as always with security, is people. They just don't see why they can't use whatever method they like to "Get The Job Done(tm)". Anything that gets in the way of that or their monthly target or bonus is a matter of complete indifference to them. And, why should it be any other way? Give people conflicting goals and they will choose the one that benefits them most.

People casually hand away large amounts of their personal data because it "gets their life done". Anything that saves a few minutes is highly valued; anything that takes extra time is ignored or worked around. The one thing you can be sure of in today's world is that people are not interested in waiting for anything or anyone for any reason.

That's the usability test security products and policies have to pass.