IT Security: Planning for the lack of commonsense

Last week I captured through my mobile phone camera the user account, password and URL of a confidential human rights monitoring and advocacy database. The users had plastered these details on a public notice board for easy reference, in a manner that could be viewed by anyone who came into the office.

It hadn’t occurred to them that this wasn’t entirely the best thing to do. These are computer literate, committed and experienced human rights activists, who have no interest whatsoever in jeopardizing the information in the database and are acutely aware of the consequences of information in the database falling into the wrong hands. Yet, this sort of practice is common – in another Sri Lankan human rights advocacy organisation, users had actually posted up access details on Post-It notes that were stuck to the monitor!

InfoShare’s significant experience in the design and deployment of highly secure ICT solutions for peacebuilding / human rights protection suggests that network intrusions and data leaks are often the result of the monumental carelessness and oversight of end users rather than any sophisticating remote hacking by a third party. Sustained user education on security is vital and the design of information systems with multiple safeguards against this sort of bad practice.

As I told the colleague responsible for this particular oversight, good IT security hopes for commonsense but plans for the risk of disappointment.

3 thoughts on “IT Security: Planning for the lack of commonsense

  1. I’ve found that Sri Lankan IT systems are easy to social engineer you way through 😉 Less details I give on that the better. Though you have to be a local to bust in. Seems is not too different.

    Experience has taught me that that “common sense” is rarely common.

    As for the slippery intersection of usability and security, a comment I saw long ago on comes to mind: “Secure, cheap and easy to use – pick any two” – source unknown

  2. Hi Cerno,

    To clarify, InfoShare / has nothing to do with the specific database – we developed it and its hosted on our secure servers, but that’s about it.

    We specifically asked users to not write their accounts / passwords down in public places, which sounds ridiculous until you realise that these are people who have no clue about information security in virtual domains.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s