Raj Samani is the vice-president of corporate relations at ISSA UK
Every year a new technology is heralded as the saviour for organisations in their eternal struggle for ensuring compliance and mitigating all (or most) risk.
This all comes from a friendly graphical user interface, with the only proviso being that the organisation spends a great deal of money on licensing, implementation and, of course, the not-so-free technical support.
However, as has been the information security mantra, security is only as strong as the weakest link, and this is, invariably, the user.
Implementing technical controls in any environment will always have the potential for mitigating a degree of risk however, the issue is that overly helpful employees are circumventing these controls.
We are constantly reminded of examples where enthusiasm or plain stupidity are the root cause of major security breaches - from a simple gesture such as leaving the door open, to putting off a security patch until after the weekend.
This is illustrated clearly in a survey carried out by organisers of the Infosecurity Europe conference. Commuters at London train stations were asked for their passwords and 40% responded immediately with the information.
A further 22% gave out their password under further questioning - although the survey did include the incentive of free chocolate.
The answer could be to implement at the very least two-factor authentication, which would mean that without, for example, a physical token, having a password or Pin alone would be of little use in gaining access.
However, even this has the potential for being bypassed: socially engineering an overly helpful helpdesk employee into providing a backdoor is possible, and was actually depicted in Kevin Mitnick's book, Art Of Deception.
Make the message heard
Technical controls certainly have a relevant role in information security, but all forms of controls are liable to fail unless the organisation has a clearly-written regularly-voiced policy that is communicated in a language that the employees will understand.
Simply having someone write a booklet or stand up for five minutes during an employee induction is woefully inadequate. Likewise, one e-mail to state that the policy "is on the intranet" is insufficient. Look at the areas where policies should be in place at your organisation and ask yourself these questions:
- Do we have one?
- Were they easy to find?
- Do I understand them and, more importantly, will the receptionist?
- Are the penalties sufficient deterrents?
Getting a yes to these questions is only the first step in implementing the human firewall, but it lays the foundation. The message on security must be communicated in a consistent and measurable way.
Most importantly, though, it must be a message that is regularly communicated to both permanent and contract employees.
Have your say
Do you agree with Raj Samani's views? If you have an opinion about this or any article in Computer Weekly, e-mail firstname.lastname@example.org
Tony Collins' IT projects blog >>
Comment on this article: e-mail email@example.com