It is an often quoted truism in IT: “People are the weakest link in security.” It’s believed to be so by many IT security professionals because even though you can build a seemingly watertight security system using the best technology money can buy, clever social engineering, a disgruntled employee, or someone simply having a bad day can cause it all to fall apart. And thus it goes: Security technologies and professionals are tending towards eliminating the human factor as much as possible in the constant battle against the ‘enemy’.
And yet, I get the distinct impression that the computer world has become less safe instead of more safe over the last 10 years. Despite advances in encryption, two-factor authentication mechanisms, and biometric passwords, our digital life has become fundamentally less secure instead of more. And it has nothing to do with technology. As we spread our personal information wide and far across the Internet, stored on servers hosted on different continents and by people we don’t know, the human touch we’re used to in our personal lives is absent. And it is in this environment where real human interaction is absent and substituted by a digital medium such as a website, e-mail, or instant messaging, that we have become less secure.
Security starts with intention. The first and most important step in any security system or process is not simply to understand what you are protecting and why, but to feel a personal commitment to securing that thing (or person for that matter). If you don’t care about what you are supposed to protect, you will subconsciously (or consciously) make mistakes in protecting that thing. It’s very simple: If something isn’t that important to you, you don’t give it much attention. And thus we arrive at the crux of the crisis in modern IT security: intention.
Many organizations treat their employees as ‘resources’. In such organizations people exist to serve the company. Their own will and purpose in life is made subservient to the greater corporate good. This subtle and constant messaging informs employees of the their worth and their function, and it is also the way in which computer (and corporate) security is undermined. Be it an IT help desk worker, a security guard, or the corporate accountant, anyone who is robbed of their personal value will not see or feel value in the part of the business that they are responsible for protecting. And this results in corrupting the most important factor in security: intention.
Intention is important when performing the many activities in the digital world that affect our security. Software programmers for instance are usually rushed to finish software as fast as possible to meet commercial deadlines, to ‘open new markets’, to beat the competition, or to make a quick buck. In this rush the intention that is quietly communicated to the programmer is: what this software is going to do for the company is the most important factor, all other factors (such as security) come in second place or lower. That intention is then passed on to the software in the form of security flaws and designs that do not respect the security and privacy of the user of that software.
Another example is the protection of personal information. In recent years there have been unprecedented thefts of personal information from major banks and retailers in the United States. Millions of people have been affected by having their personal details stolen and sold onto criminals whose intent, I’m certain, can be classified as ‘not friendly’. While I’m not familiar with the exact details of how this data was secured or stolen, I don’t believe the root of the problem was technology. Even if the data had been completely encrypted, firewalled, and buried beneath layers of IT security, I believe the root cause of these thefts is corporate intentions.
The theft of data from JP Morgan Chase resulted in that company doubling its IT security budget. In other words: “Up until now we didn’t spend the amount of money that was needed to properly secure our customer’s data, we instead spent a fixed percentage of our IT budget on security because it gave us a good balance between making profit and not being caught with our pants down.” The basic intention in this case was that customer security was not the most important goal, corporate profit was. This intention was then passed down to the IT employees and contractors that designed, built, and maintained the infrastructure and systems on which this customer data was stored and processed, and voila: you get a security breach. No surprise.
And so this brings me back to the title of this article: People are the strongest link in security. It begins with your intention, and it starts at the top of the corporate decision making chain – from shareholders to directors and down to employees. People are the body of any security system from the moment it is conceived to the day it is implemented, and intention is the lifeblood that maintains that system. If your intention is to treat your customer’s information or digital assets as if they gave you their most valuable possessions – a piece of themselves, it will inform and activate your awareness and that of everyone in your organization. The result? Every action you and everyone takes will strengthen and fortify the security of not only the digital assets in your care, but that of your most priceless asset: The relationships you have with your customers, your colleagues, and the rest of the world.