Polite, helpful? Stop it at once in the name of security

In this article I'm going to talk about the second most important aspect of being an IT manager or engineer. “The second?” I hear you cry. Yes, the second, because the most important aspect is terribly dull and doesn't take 800 words to describe: safety. (And if you think I'm mad, ask yourself whether you'd break down the door of your secure data store to rescue the guy inside in the event of a fire).

The second most important aspect, then, is security. And that statement will annoy the hell out of business people (IT systems' purpose is to help them make money), system engineers (their purpose is to keep systems running and reliable), users (they need to be able to do their jobs efficiently and accurately and expect the systems to help them do that), customers (they want the online store to be snappy and deliver their order the same day where possible), … well, pretty much anyone.

As we all know, IT is one of those areas that only really gets noticed for its negative aspects. The beancounters see it as a cost centre and want to know why we can't get another year's use from the printers (hey, if they've coped for seven years surely another one won't make a difference).

The users only call IT when they can't get in, even if it's their own dumb fault for forgetting their mother's birthday and locking themselves out after three incorrect password attempts (then, given the chance, blaming IT when their mother didn't get a card).

The thing is, though, the same applies to security. And I'm not just talking about IT security – I mean security and corporate governance in general. And as with IT, the tangible benefit of security is generally pretty negligible … so let's look at some examples of how the downsides of security can completely nobble the best efforts of even the most efficient, effective parts of your company and your systems.

• Politeness is your enemy. There's only one sin greater than swiping yourself into the building with your electronic pass and then holding the door open for a colleague, and that's doing the same but holding the door open for a stranger. I saw someone do that when I worked in the defence industry and the stranger was a security auditor, and it wasn't pretty. Even if you've known your colleague for years, how do you know he or she wasn't fired an hour ago?
• Helpfulness is also your enemy. How many times has your Service Desk reset someone's password when the latter has phoned in to say they're locked out? And how many times have the Service Desk guys thought to themselves: “I wonder if that really was John Smith”?
• The good guys suffer for the bad guys. If you have a staffer under investigation for misusing IT equipment and they end up using someone else's login to carry out their sins (and the audit trail is full of the innocent party's login ID), you can't discipline the bad guy without also disciplining the “innocent” party for disclosing their credentials.
• Sales people are cowboys. Okay, that's probably an unfair generalisation … most sales people are cowboys. It doesn't matter if you bend the rules a little bit when (say) you borrow a colleague's password when you can't get in on the remote access service to download and print the contract you're trying to get signed. That's fine on the surface as it gets the job done, but these days it's highly likely that the customer who's watching you do it is thinking: “Hey, when they filled in that due diligence questionnaire, they said they didn't cut corners like this ...”
• Does it affect users? Yes, if you fire them for gross misconduct if they illicitly send confidential information to a third party. But it certainly affects them if there's a big breach of security on the website, the press finds out, the share price hits the floor and an asset-stripper picks up the remains in a fire-sale and points 90 per cent of the staff to the dole queue.
• And customers? Well, ask companies like TalkTalk what happens to the customer base and the bottom line when you have a nice, juicy security breach or two (and if you're not able to ask them, check out The Reg's story about it).

Security, then, has to be an absolutely core consideration for your organisation. After all, it's even worse than IT. At least with IT you get the occasional nice comment from a user when you give them a cool new laptop or you announce that the standard corporate mobile device for next year is the next-edition iPhone. The same can't be said of security: I can't recall any of my users ever saying: “Yay, what a neat RSA token!” or “Hey, I just thought of a fab password with at least one upper case character and some funky punctuation!”

But security/governance is as bad as IT in general when things go wrong: to paraphrase Henry Wadsworth Longfellow: when they are bad, they are horrid. ®