In certain security circles, it’s said that people are the number one weakness when it comes to strong data encryption. For example, it doesn’t matter how excellent AlertBoot is when it comes to securing laptops’ hard drives, it won’t be of much use if users are able to set their password as “12345.”
Such failures do not pertain only to users. It can extend to administrators as well, as Buzzblog relays to us in what could be an apocryphal story (although the author has gotten assurances that it’s perfectly true).
Online Comic’s Story Goes Viral
According to Paul McNamara at Buzzblog (networkworld.com), a web comic author put up a story based on his experience at a Citibank call center. The artist later pulled the post, but not before nearly one million people saw it (and no doubt, shared it).
Long story short: despite working a completely locked down environment — in every sense of the word: physically, communication-wise (no phones or email), etc — he found that certain websites were available.
See, the employees needed to access the sites for the company they worked at. CitiBank, CitiMortgage, CitiFinancial… but since the company was constantly expanding, their IT department had decided that rather than keep updating the firewall, they would simply allow any site that started with the letters CITI, assuming that they would probably own it.
The above shows more than people being lazy or stupid or any other pejorative you can think of: it shows how people approach risk management that, to a certain degree, is quite logical: Chances are that something won’t happen, so we’ll set draft security procesures to ignore it.
Such flawed reasoning extends to laptop and device security as well:
Chances are that we won’t have a break-in and people won’t steal our desktop computers, so laptop encryption yes, desktop encryption no.
Our DLP solution prevents underlings from having sensitive data, so bigwigs’ computers are secured with disk encryption, underlings laptops not so much.
Employee laptops user a VPN and virtual environments for accessing company data, so laptop security (be it antivirus or encryption software) is not necessary. (What about screenshots and malware that records the screen?)
You can’t protect yourself against all threats, obviously; you have to draw a line somewhere. However, you have to be prudent on where you draw the line. Making the assumption that the CITI group will own all domains that start with “citi,” or that employees’ laptops won’t be the source of a data breach because “they’re not supposed to have that data” are line-drawing zones. As the “consumerization of IT”* gathers steam, expect such issues to pop up more often.
*Strunk and White must be rolling in their graves.
Related Articles and Sites: