Ira Winkler: Stupid users, or stupid infosec?
When security professionals see stupidity all around them, shouldn't they ask themselves whether it's their own precautions that are lacking?
Computerworld - I regard Thornton May as a thought leader in the field of information technology, but his Nov. 19 column, "Can Infosec Cure Stupid?", had me scratching my head.
Unusually for him, May's underlying assumptions are flawed. He argues that end users are generally stupid, his evidence being that they don't understand how the devices they use work and that they do stupid things with those technologies that render them vulnerable. His solution: All users should have a brain trust of security-savvy people they can turn to with their questions. I know many of the smart people that May says make up his personal brain trust, and I certainly hope none of them told him that this column was a good idea.
Let's look at the "people are stupid" assumption. It's true, May contends, because you would have to be stupid to leave your laptop or cellphone at an airport checkpoint or in a taxi. But hundreds of thousands of people have done this. In a group of that size, there are going to be people who avoid all guidance and do things purposefully or ignorantly wrong, and can be considered "stupid." But how many are we talking about, really? Those hundreds of thousands of people include people from all walks of life, including high-ranking executives, which is why their carelessness matters so much. Is it really helpful to chalk up that carelessness to stupidity?
I have to think that this situation -- hundreds of thousands of reasonably bright people just walking away from valuable assets like laptops and smartphones -- demonstrates not their stupidity but a flaw in the measures taken by security professionals. Think about it: If something happens so often, and clearly is not done intentionally, then a good security professional should realize that the problem is not the people but the process. So who's looking stupid now?
A good security professional should realize that airport checkpoints are mentally overwhelming for even "smart" people. People are rushed. They are forcibly separated from their laptops and other devices, among many other personal belongings. There is a lot for people to account for under stressful conditions. I even know many smart security professionals who have left devices behind.
What is smart is for security professionals to acknowledge that while they cannot prevent laptops from being left behind, they can ensure that the laptops are physically marked so that the TSA can restore them to their proper owners. They can install laptop-retrieval and whole-disk encryption software on the laptops. They can make sure that any data on a missing laptop can be remotely wiped.
More by Ira Winkler
- Ira Winkler: My run-in with the Syrian Electronic Army
- A simple cure for the cybersecurity skills shortage
- Ira Winkler: 6 failures that led to Target hack
- Ira Winkler: The RSA Conference boycott is nonsense
- Electronic privacy? There's no such thing
- Guys, stop creeping out women at tech events
- Ira Winkler: Stupid users, or stupid infosec?
- We're missing out on the value of security awareness
- Are your security professionals qualified?
- Ira Winkler: Press falls short in reporting on chip hack
- Securing Mobile App Data - Comparing Containers and App Wrappers Analysts agree that Mobile Device Management (MDM) is not enough when it comes to securing app data. Although it remains a critical component...
- PCI 3.0 Compliance In this white paper, learn how PCI-DSS 3.0 effects how you deploy and maintain PCI compliant networks using CradlePoint devices.
- Mitigating Security Risks at the Networks Edge This white paper provides strategies and best practices for distributed enterprises to protect their networks against vulnerabilities, threats, and malicious attacks.
- 5 Strategies for Modern Data Protection Read the five strategies for modern data protection that will not only help solve your current data management challenges but also ensure that...
- Business-driven data protection Setting up data protection infrastructures with your organizations' core mission or business in mind is key. In this webinar, the ARCserve team will...
- On-Demand Webinar: Mind the Gap! Watch the webinar featuring Bob Janssen, CTO and Co-Founder of RES Software, to start building a solid foundation for business and IT to... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!