Security: The Problem Is that People Are Human

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

This PC Advisor story -- which focuses on the carelessness of UK Facebook members -- will depress security personnel. Facebook, of course, is worlds away from corporate applications. But not all Facebook users are teenagers and some of the behaviors described in this story no doubt are carried into the workplace.


That's a scary thought. Without getting too deeply into the minutiae of how Facebook works, the story describes how easily folks allowed access to vital information, including in some cases their mother's maiden name. The bulk of the story is based on Facebook members' reaction to a fake profile set up by security firm Sophos. Twenty percent of those who received random requests allowed access to their full profiles. The story says that 72 percent of those who allowed access also gave out their e-mail addresses, 84 percent revealed their dates of birth and 23 percent provided their phone numbers.


The key point isn't that Facebook users are careless. It's that people in general are careless. Perhaps such behavior so boogles the collective mind of the IT department that they have trouble dealing with it. Unfortunately, there are a legions of folks out there who just don't get it. Some of these use corporate computer networks. Worse yet, some of these folks actually run the companies.


There are a number of ways that user sloppiness can hurt the organization. Phishing, of course, is one. The danger of criminals' clever rouses designed to separate people from their identifying data is evident by research done by Markus Jakobsson at Indiana University. Jakobsson -- whose work was outlined in ComputerWorld's coverage of the Usenix Security Symposium in Boston -- ran experiments that showed people are willing to trust half-signed digital certificates. While subjects did a good job of not clicking on links in e-mails, some did copy URLs and paste them into their browser, which also is potentially dangerous. Finally, Jakobsson found potential problems with credit card procedures and the willingness of professors to use university passwords to gain access to sites that didn't look like they were hosted by the school. DogReader does a good job of describing the next phase of phishing, which is spear phishing. This is the practice of using specific information to send a request for information that appears more realistic. The example used in the posting is an e-mail that appears to come from the IT department asking for an employee's security code. If done well, it is difficult to distinguish between these forays and legitimate e-mail.


Phishing is one way in which user ignorance or laziness can cause losses. Another is physical. TechNews offers several tactics to ensure the safety of laptops: Treat the device as cash; keep it locked; store passwords elsewhere; don't ever leave it alone, and be especially vigilant in hotels, airports and, presumably, similar venues such as public hot spots.


The unfortunate reality is that there are many ways in which employee ignorance, laziness, or even, in some cases a desire to do a good job can cost a company. Perhaps the most frightening single issue, however, is that the awareness of the dangers seems to be strikingly low. Combining this with the cleverness and brazenness of cyber criminals creates great danger for organizations. This drives home the need for proactive corporate policies backed by strong technology.