You're only human

You're only human

EDITORIAL You’re only human “Technology is part of the problem, not part of the solution. The only thing systems have in common is that they all fail...

66KB Sizes 0 Downloads 60 Views

EDITORIAL

You’re only human “Technology is part of the problem, not part of the solution. The only thing systems have in common is that they all fail”. These were the words of Ian Angell (dubbed

The insider threat is particularly deadly

‘Angell of doom’ by UK press), professor of

because it has the ability to bypass the

information systems at the London school

physical and logical controls you’ve put

of economics.

in place to protect the perimeter of your

Angell was perhaps a strange choice

network. In addition, the insider threat has

for keynote speaker at the Black Hat Las

already obtained credentials to access a

Vegas conference. Yes, he’s insightful and

significant portion of your infrastructure.

knowledgeable, and yes, he kept those

The Verizon 2008 Data Breach

who’d been playing roulette until the

Investigations Report, which looked at over

early hours not only awake, but laughing

500 serious security breaches over the past

throughout, but to tell an audience of

four years, says external security breaches

thousands of IT security professionals

generally compromise a median of 30 000

that technology, on which their livelihoods

records, while an insider security breach

depend, is “a road to ruin”? Brave.

results in data loss affecting a median of 375

Of course, in a sense, he’s right. All technology does have the potential to fail at

000 records. Attacks from insiders are more damaging,

any time. However, on the current security

and not only statistically. Seeing your

landscape, I think there’s a bigger issue at

organisation hit by somebody you instilled

stake - people.

trust in, is not only a blow to confidence,

An insider threat can be somebody abusing their position of trust for malicious gain. More commonly however, the insider

but also to morale, causing psychological damage as well as monetary. As we continue to witness our government, and other public and private

threat is someone who causes damage to

organisations displaying their inability to

their organisation unintentionally, either

secure our data, and we watch vendors

through ignorance or lack of education. And

scrambling to advertise their technology as

then who’s to blame? The organisation who

‘the solution’, most people are neglecting

failed to train their employee in information

to recognise the most obvious and most

security, or the employee who should have

essential protection of all – education. In this

used their common sense?

issue’s cover story (p.14), Cath Everett gets

But as obvious as it is to all of us that

to grips with why two thirds of the worst

HMRC confidential data should not be

security breaches over the past year have

put onto a disc and into the post, and as

had an internal cause, and offers advice on

ridiculous as it seems that a civil servant

good security practice.

would leave top secret documents on a

Of course, I’m not advocating that

commuter train, hindsight makes it all the

technology is redundant, it’s certainly not.

more apparent.

What I am suggesting is that while ‘belt

Human error is as certain as technology failure. People make mistakes. It’s impossible to eliminate this risk.

and braces’ is an old-fashioned phrase and concept, its relevance could never be greater. Secure your organisation with the necessary

People are unpredictable, and even when

technology, and then educate your people.

educated and information security savvy,

Be aware that 100% security isn’t possible,

there’s still the potential for oversight.

understand that both people and technology

While education can go a long way towards

can and will fail, and make sure that when

reducing the risk of the accidental insider

they do, you’re ready to pick up the pieces.

threat, it does not help to protect against

Take care,

the malicious insider threat.

Eleanor Dallaway

While ‘belt and braces’ is an oldfashioned phrase and concept, its relevance could never be greater. Secure your organisation with the necessary technology, and then educate your people

SEPTEMBER 2008

7