STORAGE VIEWPOINT - Throw away the key to all those secrets
I've just moved house. It's a nice place - a flat in west London.
But it's a stressful time and things slip your mind. Last week, I managed to leave my keys in the kitchen while popping out for a takeaway.
In a rush of panic that only comes from the realisation of the prospect of a night under the stars, I ran the mile or so to the estate agents, stumbled in through the door and demanded a spare set of keys. The guy I knew wasn't there, but a young assistant was only more than happy to help. Without asking for a name, let alone any proof of identity, he tossed me the full set of keys and told me to 'bring them back when I'd finished'.
However helpful the young man was, it highlights a generally poor attitude that people have towards security. My landlord had gone to the trouble of putting a lock on the front door to the block of flats and then fitting a mortice lock, a Yale and even those funny star-shaped keys at the top and bottom of my front door. No one could get through all that. Unless, of course, some damn fool gave the keys out to any Tom, Dick or Harry who happened to ask for them.
In IT, nothing much is different. At the top end of the scale, security is of paramount importance. Most organisations are beginning to realise their data is their most valuable asset. People are realising that data doesn't have to be top secret before it's worth protecting, but that tinkering with even the most mundane of files can lead to headaches and horror stories.
And malicious intent is only a small part of the problem - incompetence is the biggest danger to corporate data.
Keeping data safe is of utmost importance and a complete strategy must take everything into account. Encryption, passwords, antivirus programs and firewalls are all essential parts of an effective strategy and there are many products available. But a security strategy can only be effective if the measures work to provide a complete solution.
And the strategy has got to be more fundamental. Security isn't just an issue for the boardroom and the IT department. It must be company-wide policy. More than that, it has to be a policy that every employee is familiar with. But further down the organisation, security measures are seen simply as something that the IS department implement to annoy the workforce.
I remember reading a horror story a couple of years back about a market research company that phoned unsuspecting workers, introduced itself as the IS department, then asked them for their password. An alarming number confided in complete strangers.
In most offices, passwords are known to at least one other person. And you can have a good stab at guessing everyone else's if you know the name of their spouse or pet. To most, convenience is more important that security.
Passwords just make life difficult.
So, as well as installing the latest state-of-the-art security software, it's vital that staff understand why the software is there. It must become a sackable offence to turn it off or bypass procedures. It sounds very big brotherish, but this kind of insistence is the only way to ensure a security policy can work in the way that it's designed to.
It doesn't matter how many locks you've got, or how strong they are, if you can't trust the people who look after the keys.
Richard Williams is the editor of the IT Network.