Who is to blame?
The documentary aimed a placing the blame with the producer of the devices. I don't agree with that. If you (the user) don't bother to figure out how to lock your car and leave it open, you don't blame the producer. If a network engineer makes a backup of network configurations on his personal NAS and doesn't secure it, so that Europols passwords are freely accessible on the Internet, you can't blame the NAS producer. At least a network engineer should know better.
Why don't users secure their devices?
Unless they are working with security, users generally will choose convenience above security. Contrary to what some employers think, most employees actually want to do their job. When faced with security barriers at work, both implementations and regulations, most employees will work around them if they seriously prevent them from getting their work done.
This isn't just true for users in big enterprises, it is also true for SOHO users, who might not have an IT department. They purchase IT equipment that will make their work easier, not increase security. You can think of this in another way. When was the last time you checked the security features of a car you purchased? I'm not talking about the airbags. Did you ever check the quality of the locks or car alarms? Do you know how easy people can steal your car? If you're like me, you probably don't know these things. You assume, that when you lock your car it's "safe" and you buy insurance. You look at other features like milage, cruise control, bluetooth adapters and so on. Why should this be different when people purchase IT equipment? They look at storage capacity, wireless connectivity, Internet accessibility and so on.
Even IT professionals, will choose convenience over security. I can give you some real life examples.
Many years ago, I was a volunteer in an organization, among other things we needed to publish a booklet. There organization had computers available for the volunteers and these where locked down vigorously by a security obsessed IT administrator (he later started a security company). You couldn't even install a new font one these machines. It was impossible to work on. So I disconnected a PC and plugged my own laptop in (not many people had laptops back then). I now had access to the entire network, printers and everything. Now we could create and publish our booklet. Another more recent example was when I worked at a company, that like many had a 20MB e-mail attachment limit. I needed a vendor to send my materials above 20MB. How to do that? I called the IT dept. and it turned out, the company had a large file exchange portal. I needed to create the vendor as a user on the portal. Send him a link, where he could log in. He could upload the file. I could then go to an internal page and download it...or I could just ask him to send it to my private mail account. You guess which option I chose.
So how come companies spend a lot of money on security and we still have these problems?
It's the way companies view security. It's a paradigm of "washing hands". The CTO asks the IT department "are we secure"? The IT dept. says "yes, we have implemented the best firewalls and the strictest security policies for the users". If there is a security breach, the IT dept. can say, someone broke the policies. The CTO can say we have done everything within our available resources (i.e. we need more money) and so on. Now everybody has washed their hands.
The users pose the biggest security threat to them selves and the network. We need a strategy to deal with that. Unfortunately, current strategies reflect the existing paradigm of "washing hands".
In general two strategies have been used to increase security. One has been to increase security measures and the other has been to educate users. I believe neither can achieve the goal.
"The more you tighten your grip, the more star systems will slip through your fingers."
- Princess Leia
This is exactly what happens when you tighten security. At some point employees will feel, that security is something they need to overcome in order to do their work and it is virtually impossible to protect against widespread security breaches inside the network. If the only tool you have, is tighter security, you increase the problem, every time you try to fix it.
Other people advocate that we should educate the users, so that they understand the security risks and know which precautions they must take. While it is always good to explain to the users, why certain security measures are in place, I don't believe that we can educate our way out of the problem. Education requires one main ingredient: The desire to learn. If the users don't have any interest in learning about security, the education will be a waste of time.
So what can we do?
In an age of BYOD, I believe that we should give the users what they want - convenience! If we want to secure users and our networks, we need to make the users work for us, by working for the users. Let me give you an example.
If we have a big company, with a large IT department, we could supply them with all their IT needs. If an employee would like a NAS, he could buy this from the IT department. Who then would set it up and support it. If the price is the same as in the shops, he's getting an additional service (support) for free and the benefit for the company, is that we can secure the device and know, that any data stored on it is safe.
This is just an example, but if we start thinking in this way - we can find solutions, that work in our particular situations. We need to think of the users as part of the solution, not part of the problem.
No comments:
Post a Comment