On 2/17/2015 8:42 AM, Edward Ned Harvey (blu) wrote:
I see a lot of people and businesses out there, that just don't care about
their own privacy. They email passwords to each other, W2's with salary and
social security information, photocopies of drivers' licenses and passports to
be used by HR to complete I-9 forms...
As an IT person advising a business to be more responsible, what areas do you
advocate securing most urgently? IT admin credentials? HR records? Financial
records? Other stuff? Simply everything, bar none?
Email is obviously a huge area of insecure information sharing. Do you also
see a lot of people storing information that should be secured in other
non-private services like Dropbox, Google Drive, Box, etc?
People care a lot about their own privacy. The problem is that, by and
large, it's /only/ their own privacy that they care about.
Those on this list whom have done penetration testing will back me up on
this: you can touch any corporate asset on an employee's desk, but if
you touch a purse or a cellphone, they get very interested, very
quickly. Purses and cellphones contain information that they feel /is/
private, and therefore they take care to protect it.
I'll leave aside the fact that most of what's in a purse or cellphone is
already available in databases at the various big-data vendors. What
counts is that employees /think/ it's private, and so they act
diligently to protect and conceal it.
Their employer's privacy is another matter. We could debate passwords
vs. tokens vs. biometrics vs. secret handshakes, and never come close to
"solving" the security issue, which is, bluntly put, that most workers
don't feel any connection to the corporate goal of 'security'. Very few
desk jockeys have any skin in the security game, and even those who
could lose their pension if a major breach occurred have a hard time
connecting that "Maybe, possibly, the odd are ... " kind of abstract
risk with their day-to-day responsibilities.
Low-level employees, even though they are the ones with the most access
to the most sensitive personnaly-associated information, such as SSN's
or bank account numbers (remember the "void" check you sent in to start
direct deposit?), are not concerned with abstract corporate goals. They
know they'll never sit in the corner office, and they know that they'll
never drive the Porsche that the executive owns, and they know that they
would have to have been a lot more daring and a lot more aggressive and
a whole lot more disciplined, for years, if they had ever wanted to be
higher up in the corporation. They do what they have to, not what's
"right" in the eyes of we technical weenies who mouth buzzwords and
speak in gibberish while shaming them about "security".
Shakespeare put it best - "The fault, dear Brutus, is not in our starts,
but in ourselves, that we are underlings."
There are, of course, exceptions: those on this list have, I'd bet,
mostly come to terms with our station in life as modern-day
horse-whisperers who tend to complicated and failure-prone machines
and/or software instead of to leading people. In any case, the odds are
that we're all well above average in IQ, in income, and in the
ever-so-elusive perception of ourselves and our place in the world.
The essence of the problem isn't technical; it's human. In military
settings, soldiers who don't change their password on time (or whose
passwords fail a complexity test) are assigned to low-status jobs, to
remind them of their training. In corporate settings, it's impractical
to demand that someone who has a password written on the bottom of a
keyboard take a day to clean the bathroom or wash the windows, so
there's no obvious way to coerce "secure" behavior, short of willingness
to fire those employees who violate password or other security measures.
So long as "security" must be implemented with the cooperation of men
and women who resent their station in life and their poor prospects for
the future, it will be a serious problem. As Bruce Schneier so aptly
pointed out (when critiquing the TSA's policy of confiscating bottles of
liquid) - "There's no penalty for failure". In other words, so long as
the consequences of lackadaisical behavior are borne by anonymous
stockholders instead of the perpetrators, we lose.
Bill "Mister Subtlety" Horne
William Warren Consulting
Copyright (C) 2015, E.W. Horne. All Rights Reserved.
--
E. William Horne
339-364-8487
_______________________________________________
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss
