IT Security: Planning for the lack of commonsense

Last week I captured through my mobile phone camera the user account, password and URL of a confidential human rights monitoring and advocacy database. The users had plastered these details on a public notice board for easy reference, in a manner that could be viewed by anyone who came into the office.

It hadn’t occurred to them that this wasn’t entirely the best thing to do. These are computer literate, committed and experienced human rights activists, who have no interest whatsoever in jeopardizing the information in the database and are acutely aware of the consequences of information in the database falling into the wrong hands. Yet, this sort of practice is common – in another Sri Lankan human rights advocacy organisation, users had actually posted up access details on Post-It notes that were stuck to the monitor!

InfoShare’s significant experience in the design and deployment of highly secure ICT solutions for peacebuilding / human rights protection suggests that network intrusions and data leaks are often the result of the monumental carelessness and oversight of end users rather than any sophisticating remote hacking by a third party. Sustained user education on security is vital and the design of information systems with multiple safeguards against this sort of bad practice.

As I told the colleague responsible for this particular oversight, good IT security hopes for commonsense but plans for the risk of disappointment.

3 Comments on “IT Security: Planning for the lack of commonsense”

  1. cerno
    June 1, 2008 at 1:59 pm #

    I’ve found that Sri Lankan IT systems are easy to social engineer you way through ;) Less details I give on that the better. Though you have to be a local to bust in. Seems infoshare.lk is not too different.

    Experience has taught me that that “common sense” is rarely common.

    As for the slippery intersection of usability and security, a comment I saw long ago on slashdot.org comes to mind: “Secure, cheap and easy to use – pick any two” – source unknown

  2. Sanjana Hattotuwa
    June 1, 2008 at 5:03 pm #

    Hi Cerno,

    To clarify, InfoShare / InfoShare.lk has nothing to do with the specific database – we developed it and its hosted on our secure servers, but that’s about it.

    We specifically asked users to not write their accounts / passwords down in public places, which sounds ridiculous until you realise that these are people who have no clue about information security in virtual domains.

    SH

Trackbacks/Pingbacks

  1. Information (in)security at the United Nations, New York « ICT for Peacebuilding (ICT4Peace) - November 8, 2008

    [...] November 8, 2008 In June this year, I was appalled to realise that colleagues in Sri Lanka mindlessly wrote sensitive information on public information boards.  [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 127 other followers

%d bloggers like this: