2 min read

It’s not funny when security becomes a joke

If you point out that security has become a punch line, maybe your users will realize that what they do matters

How much has computer security changed since the last time you looked? It’s now a half-hour TV comedy called Breaking In. Will it be funny? Will it be realistic? You’re missing the point: Security is now so mainstream that it’s getting the Two and a Half Men treatment — and that’s bad news for your IT shop.

The problem isn’t that a sitcom based on penetration testing will teach bad guys how to break into your systems. They already know more than they’re likely to learn from a bunch of TV-show gags on Wednesday nights. No, the problem is that, more and more, the general public thinks of security itself as a joke.

Consider Anonymous, the group that attacked Visa and MasterCard after the credit card companies stopped processing payments made in support of WikiLeaks. After security firm HBGary Federal said it knew who the leaders of Anonymous were, five of the group’s members hacked their way into HBGary’s servers and published 50,000 embarrassing company emails — and then explained how they took advantage of HBGary’s lax security to break in.

That was February. In March came the punch line: The Anonymouser who had pretended to be HBGary’s CEO and needed only a 15-minute email exchange to convince the company’s systems administrator to drop security is actually a 15-year-old girl. Or at least that’s what “Kayla” claimed in an interview with Forbes. Oh, those wacky kids!

The day after that revelation, RSA Security announced that someone had broken into its systems, rooted around and walked away with secret details of RSA’s SecurID authentication technology — and those details might, the company warned, make the pricey SecurID less secure for, um, ID’ing users.

And that was just a few weeks after a man from Belarus pleaded guilty in New York for running an running an identity theft ring that compiled detailed dossiers on each victim in order to make sure the thieves would have an answer for every conceivable challenge question when they called to transfer money or make other fraudulent transactions.

Those dossiers included everything from Social Security numbers to — actual example — a victim’s oldest sibling’s nickname. With ammunition like that, challenge-based security really is a joke.

Yes, it’s that bad. And the usual ways you might try to up the security ante — pile on the encryption and biometric authentication and lots of other cutting-edge security technology — won’t fly. They’re too expensive, and besides, the weak links are almost always people, not technologies.

But instead, what if you go straight to users and point out the joke that security has become? That there really are bad guys out there, and security problems are so widespread that they’re not just all over the news, they’re even the subject of TV comedy.

And that makes it more important than ever to remember the basics: Don’t share your passwords or leave them out in plain sight.

Don’t let strangers through security doors. Don’t assume that anyone who calls you is from IT. And don’t send any company information to anyone unless you’re sure they’re supposed to have it.

Who knows? If you point out that security has become a punch line, maybe your users will realize that what they do matters. And if that gets them to take security a little more seriously — well, that’s something worth smiling about.

Frank Hayes has been covering the intersection of business and IT for three decades. Contact him at cw@frankhayes.com.