Last week I captured through my mobile phone camera the user account, password and URL of a confidential human rights monitoring and advocacy database. The users had plastered these details on a public notice board for easy reference, in a manner that could be viewed by anyone who came into the office.
It hadn’t occurred to them that this wasn’t entirely the best thing to do. These are computer literate, committed and experienced human rights activists, who have no interest whatsoever in jeopardizing the information in the database and are acutely aware of the consequences of information in the database falling into the wrong hands. Yet, this sort of practice is common – in another Sri Lankan human rights advocacy organisation, users had actually posted up access details on Post-It notes that were stuck to the monitor!
InfoShare’s significant experience in the design and deployment of highly secure ICT solutions for peacebuilding / human rights protection suggests that network intrusions and data leaks are often the result of the monumental carelessness and oversight of end users rather than any sophisticating remote hacking by a third party. Sustained user education on security is vital and the design of information systems with multiple safeguards against this sort of bad practice.
As I told the colleague responsible for this particular oversight, good IT security hopes for commonsense but plans for the risk of disappointment.