Security in the headlines

Real safety requires behavior modification, not just technical wizardry

At a conference last year, I made a potentially disastrous mistake. I walked off with someone else’s laptop bag, leaving my own case -- a black, standard-issue, backpack-style bag -- propped against a chair leg. I noticed the substitution about five minutes later, and returned to the scene of the inadvertent crime on a dead run. (My laptop computer may not contain state secrets or customers’ Social Security numbers, but it holds plenty of confidential information, not to mention virtually everything I’m working on at any given time.)

There, looking at least as worried as I, was the owner of the look-alike notebook case. He was frantically rifling though the contents, looking for ID or at least a cell phone number.

I sheepishly apologized for snagging his bag, and we performed a parcel exchange. Security disaster -- or at least major inconvenience -- averted; end of story. I hadn’t thought again about that somewhat embarrassing event until this week, when I read Security's weakest links by InfoWorld security beat reporter Bob Francis.

Taking a “ripped-from-the-headlines” approach when researching the article, Francis concentrated on five security breaches — from lost backup tapes at Bank of America to missing credit card information at Polo Ralph Lauren — that received copious media attention during the past year. “Most IT managers could imagine themselves in this situation,” Francis said, pitching the story. “Others are probably in denial, though this investigation might open some eyes.” Off he went, shaking down security gurus and consultants for advice on how to avoid repeating these kinds of miscues.

Francis’ most consistent finding is that security snafus often represent social or managerial failings, not technological ones. A few examples: Office security can be lax, leaving unchaperoned guests to wander the halls. Employees tend to leave sticky notes, complete with passwords and log-in names, plastered to monitor bezels. (For an elegant solution to the too-many-passwords-to-remember problem, check out Jon Udell’s screencast.) And, as I personally know all too well, people often forget to put their names on their laptops, opening a potential vulnerability.

Bulletproof networks, SSL-protected Web servers, well-designed identity-management systems, and the like are, of course, critical. After all, something as simple as encrypting data on backup tapes before shipping them to a separate facility will go a long way toward keeping your enterprise protected. But according to the experts Francis interviewed, the key is behavioral: “Real security is about getting a process in place, making sure it’s followed, and then constantly refining it.”

Needless to say, my notebook case now has a luggage tag.