We are the other people
You’re the other people too
“Mother People” – Frank Zappa
So just who is it that messes up great security plans and policies? You know those folks who’s boneheaded stunts compromise even the best security efforts? The people who use webmail accounts for company business. The people who write their login credentials on little yellow stickies taped to their displays. After extensive research I have found incontrovertible evidence that it’s the other people.
That’s right. The other people. But here’s the bad news, pilgrim. Frank Zappa had it exactly right – we are the other people and you’re the other people too.
Sometimes the other people are those pesky end users, such as the guy described in this article from Nicholson Security who logs on to his company’s VPN remotely from Starbucks and then proceeds to the rest room for 15 minutes leaving his laptop unattended and unsecured. Sure, it’s easy to conclude that the guy in question is an idiot who should spanked. But consider this – he’s just a guy trying to get his job (in this case a realtor) done. Like all other people. Like you. Like me.
My goodness, we’re being mighty understanding here. Does this herald a kinder, gentler Security for all? You wish! Seriously, why would you expect a realtor to understand why it’s important to not leave the company LAN wide open to anyone including roving security pros? Okay so this is a particularly bad example since the guy left his laptop completely unattended in a Starbucks, so in all likelihood he is an idiot. But forgetting that for a second, didn’t he get the standard education about his company’s security policy? I’m guessing that what he got was a quick “this is how you access Outlook from the new Citrix system” either from the office admin or from the IT guy who installed the new Citrix system. And armed with that information set out to sell some houses.
Sure it’s easy to find numerous examples of ignorant end users who bypass security policy just so they can get their jobs done as efficiently as possible. But what about the guys who create and enforce those policies. Sorry to say, they are other people too. Other people tend to take too much for granted with respect to the skill level and “tech savviness” of their constituent users. For the next example, I submit my own experience. In fact the very experience that prompted me to write this.
My brother is developmentally delayed. That’s the currently PC version of mentally handicapped. For his birthday this year I got him an iMac. I set it up, got him on the internet, signed him up for a webmail account and showed him how to get started. Since all he wanted to do is take pictures with his digital camera, load them into iPhoto, send them to our Mom and surf the web, it wasn’t a very difficult training session. After about a week, he discovered that his email wasn’t working. Turns out I hadn’t set up his outgoing SMTP server correctly and consequently no one was responding to his emails since he wasn’t able to send them. So I went over to fix it and discovered a number of unsent messages responding to phishing sites that were attempting to steal his information. Yikes! But all he knew was that these sites had some cute picture or swell program that he wanted, and he had to join so he could get it. My epiphany happened at this point. It had not even occurred to me to warn him about these kind of sites, since I just automatically assumed that everybody knew about that. Bad assumption. We are the other people.
So let’s kick it up to a different level. What about the software project manager who cuts the QA time in order to get the product out the door in the (unrealistic) timeframe imposed by senior management in response to marketing intel with respect to market windows. It’s easy to say that the project manager is wrong because scrimping on QA will certainly lead to a lower quality product which translates to more bugs and vulnerabilities in the product. But the schedule was imposed by senior management, so it’s their fault. But senior management has reason to believe that if this schedule isn’t met, the product’s revenue will be substantially negatively affected because the marketing window will be missed. And then the shareholders will not be happy (read heads will roll). Yep, other people just trying to do their jobs.
So the premise in the Nicholson Security article is borne out: people will always be the weakest link in security. I suspect that this sad fact comes from everyone trying to do too much with too little time and resources to do it correctly. Because that’s what it takes to compete in a global economy. We are the other people. You’re the other people too.