Andy Smith, a Chartered Fellow of BCS – the Chartered Institute of IT, explains how we could be over-complicating the issue of cyber security…
‘To prevent viruses and malicious code, Government IT suppliers often block encrypted emails, so people send sensitive information in unencrypted emails. What the suppliers are doing for security reasons is effectively making things less secure.’
Andy Smith is a Chartered Fellow of BCS – The Chartered Institute of IT. He is a Chartered Security Professional dealing with government information assurance.
‘Blocking encrypted emails is often seen as required to stop malicious code, as virus scanners cannot check encrypted content, but what those recommending this don’t understand is that security should be risk management for the business. From their “technical security” point of view, they put blanket bans on things. Staff then resent security as it’s seen to be stopping them doing their job.
‘Another example is unnecessary complexity. Users should not have to remember multiple complex passwords as they are forced to write them down, reducing security and increasing helpdesk calls. Ten years ago you needed one set of credentials to start your computer, another to log on to the operating system, and then another to log on to the network.
‘Now, you can have one set of credentials with a token and 2-factor authentication, like most banks use. The computer can have keys securely stored which can authenticate the computer to the network. This improves user productivity and stops people writing their passwords on bits of paper and leaving them with the machine. If inexperienced people make the security hard it gives people like me a bad reputation and reduces productivity. People blame security for things that either have nothing to do with security or people doing security badly.
‘The Government is changing its policy and the suppliers need to keep up. My concern is you’ll have these problems all over again for another reason in two years’ time.’
Edited by Professor Andy Friedman, CEO of PARN
First appeared in Newsweek, edn. 15 May 2015