Ultimately, IT is responsible for security breaches even if it's not at fault.
Late last year, Plano, Texas-based Hillary Machinery lost $800,000 to cyber theft when attackers stole the money in a series of transfers from Hillary's PlainsCapital bank account. PlainsCapital was subsequently able to recover about $600,000.
As you might expect, Hillary demanded that PlainsCapital repay the unrecovered funds, saying PlainsCapital didn't provide adequate security measures. Up to this point, there is nothing especially noteworthy about this situation. Sad to say, but cyber theft just isn't all that unusual anymore.
However, what happened next has gotten a lot of attention beyond just west Texas. PlainsCapital is suing Hillary Machinery, the victim!
In what appears to be a pre-emptive move, PlainsCapital is asking the court to certify that the bank's security measures are reasonable. In effect, the bank is saying that it is Hillary Machinery's fault the money was stolen.
PlainsCapital contends that it's not at fault since the transactions were initiated by someone with valid Internet banking credentials belonging to Hillary Machinery. Hillary Machinery argues that there are a number of peculiarities about the transactions that should have caused PlainsCapital to examine them more closely.
This situation typifies the classic security dilemma. Everyone wants three things from their security system:
- Strong security. Everyone wants the highest level of security
- Low cost. It can't cost a lot to build or maintain
- Ease of use. It can't be complicated or people won't use it
Security experts will tell you that you can only get two of these. You get to pick which two you want, but one has to be let go. Reality is never absolute. We end up making compromises trying to get a reasonable balance and sometimes in the end we lose all three.
This conflict was described well in a comment by Yaron Levi to an article about another bank related cybertheft. Levi wrote:
"We have a solution that can totally protect the bank customers. Guess what, I spoke with few banks' and offered them the solution. They all agreed it will solve the problem but claim that unless the law will mandate it they will not spend money on better security.
I asked one of them if the banks' customers will be willing to pay something small (say $5 per month) for better security. The guy laughed at my face and said his customers already complain that using a password and security questions is too complex."
In this example, low cost and ease of use were judged more important than security. Corporate IT faces this dilemma every day. Unfortunately we don't have the option to sue our customers. Even when a non-IT employee clearly is to blame for a security breach, IT is still responsible. It's our job to maintain a secure environment and to keep it low cost and easy to use. A delicate balancing act, indeed.
Our fellow employees are the greatest threat to security, and at the same time they can be its most important element. Technology can improve security, lower the cost and make it easier to use, but it is all for naught if people don't actively participate in maintaining a secure environment. Technology alone will not work.
I believe Dan Morill stated it best: "We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets."
Although this seems like a no-win situation, there are a number of things we can do.
Raise security awareness - Good security is like the electrical grid, no one thinks much about it until it fails. While you don't want to create hysteria, you might want to make people aware that there are real security threats. Does anyone outside of IT know how many intrusion attempts you've blocked or how many virus threats you've countered? Maybe they should.
Knowing this may make people a little more rigorous in following security provisions, and management may be willing to spend a little more on security if they know what it is doing for them.
Avoid the Chicken Little syndrome - There are new security threats every day. It's our job to assess them and act accordingly. Part of this is knowing when to raise the alarm and when you shouldn't. "The sky is falling" didn't turn out well for Chicken Little, and likewise a constant security crisis attitude eventually will dull people's sensitivity to security.
Match the security to the risk - One way to get people more accepting of stronger but more difficult to use security provisions is to only use them when truly warranted. Save the tight security provisions for the really important stuff. Treating everything the same tends to lower the overall significance. Does access to the stock records in the parts warehouse really need the same tight security as the payroll records?
Alternatively, you might consider a single sign-on system that, when coupled with behind the scenes security profiles, lets management control access with a minimum amount of inconvenience.
In the end you have to get people involved and actively manage security because even though you may not be to blame, you are the one responsible.
"Old Vault Door" photo by Daniel Leininger / CC BY 2.0
This article is also posted on Forbes.com. Feel free to join in the discussion either on this site or at Forbes.com
If this topic was of interest, you might also like these:
- Security In The Cloud
- Security and the Myth of the Superuser
- People and IT Security
- Or the posts in the Security category
Recent Comments