One of the great things about today's connected world is that it is so much easier to transfer information from one person to another. Some would say too easy and in our ‘just in time world’ we no longer store information or research but rather graze for it on an ongoing basis. I am just as bad, instant gratification through the web means that anyone can be an expert on any subject but, have in fact spent no time in the learning process that develops the rigour to test theory or question what you have heard. I am often tempted to put a non-truth up and see how long it is before it comes back to me as fact.
I have just spent 2 weeks in the very north of Scotland at a place called Loch Ewe, very picturesque and a fascinating place, look it up on Wikipedia, with a key role in the second world war. My stay was in support of a NATO exercise that is held in the Minch area twice a year and involved me working from a shore headquarters high on the hill overlooking the Loch. In that headquarters there are a number of computer systems all of which do not talk to each other, all but one is remote from the outside world and that one has a very low classification for data creation, but, there is always a requirement to share data between them in order to achieve the desired aim.
Often we would here the cry "it is always the IT that messes you up" and in truth we could all say that about our systems at work. The problem is, it is important for organisations to safeguard the data they hold to the right category. In Loch Ewe we did it by having distinct systems for Secret, Confidential and Unclassified and whilst it was a constant pain to have to swap between them and understand that the document you were writing had suddenly changed classification because of the content, thus requiring you to change the content or rewrite it on the alternative system, it made sure that national secrets were not out there for all to see.
Why should that matter to your company or the organisations that you work with? The fastest growing crime is that of identity theft and we still do not spend enough time or energy in safeguarding the key information that will unlock that door to the criminal. More and more small organisations are told through legislation to keep data on us. If you have moved house or transferred money, your passport and bank statements will have been copied and held as proof of ID, and usually this will have been done by a small organisation, local solicitor or accountant for example, who has ADSL access to the Internet from any machine and that means access from the Internet to the data they store. The chances are there is a low end firewall protecting all that information that is never checked for intrusion, and the result is free access to your identity.
This is just the start though. The value of the intellectual property held by your company systems is staggering and becomes more valuable as we rely more heavily on the Internet for knowledge rather than learning the subjects though study. If I wanted to configure a Cisco router, rather than learning how to do it, why not rip off a script from someone else and use that. It’s true that this would not work in a very complicated routing environment but it would in a basic setup.
I know, why not do it for a firewall because that would work!! or better still, why don't I write a script and put it out there for everyone to use on their firewalls. Obviously I would then hide a back door access in it and track who had downloaded it because that would give me full access to their data and they would be none the wiser (especially if they had used a third party to do the install work and the third party had not told them what they were doing!!)
The truth is that we have become too reliant on instant information. Up in Loch Ewe I could not just go onto the Internet to answer a question, or quickly search back in my data store which I had left back in the office in Bristol for an answer, I had to learn the information and know the answer. That's not to say that network centric operations are not important and that industry should not use them, they absolutely should, lean manning and faster response requirements can only be supported by digital technology. What is does not mean is that we can ignore the speed at which information can get into the wrong hands, witness our prime minister and a digital recording from a radio mic allowed to transmit from a secure car as it drove away yesterday!!
We have to strike a balance between our ‘just in time’ requirements and the security of an individuals information. It is no longer good enough for organisations to be able to review customer’s personnel data on the computer that can be used to access someone’s personal yahoo web mail. Sooner or later someone is going to find a way to that information or more likely someone in the organisation is going to accidentally send something they should not.
It is true, I have come to the sad but inevitable conclusion that distinct systems are the only way forward and that organisations need to think about not only firewalling between the outside world and their system but also between systems and data stores within the operation, as the only way to stop accidental or deliberate data loss. This is especially important for organisations holding digital information of individuals and companies. Security is not a dirty word but sometimes it is lost in our expedient world of data grazing.
No comments:
Post a Comment