How the selection of the tool to be used in a specific problem can lead to glorious success or catastrophic failure
October 8, 2020
Not the password we want, but the password we need
November 5, 2020
Computer technology is the, unfathomably evolving, assisting prosthesis to societies, economies, and individuals, attempting to persevere in a world stricken by the pandemic.
And yet sometimes…it – the prosthesis – does not fit all that well. Sometimes the grafts get rejected… Or the amputee rehabilitation fails – since he/she/they never lost the limb – they must learn to use. Or even – and here is where all immersion in medical similes fails spectacularly – someone gets control of that extra *insert appendage of choice* and gives you a thorough thrashing with it.
Avoiding said thrashing is the job of data security. But how do we go about implementing it? More is more right? Is the weak point the manufactured one, the interface, or the user-patient?
In the yesteryears, everyday tools got away with laconic big WARNING signs. Using a bandsaw for example, one did not have to be a master-luthier to associate mistakes with delimbing one’s self. That is not the case today though, when the tool evolves constantly, along with its associated risks, but the user and his ability to understand it remains the same. We keep stacking new technologies and implementations one upon the other, but leave the user to his own devices? The “binomial” will keep getting more and more precariously balanced.
So, what does the IT-doctor prescribe?
Complete automation?
I mean yes…we could fully restrict and monitor each and every user’s activity to the point where they work on a fully sterilized environment. Will this promote productivity though? And more importantly are we certain we can maintain such condition permanently? Finally, can we persuade our clients that they need to keep paying for such an implementation?
Well, we always come back to the adage (sic) “Τhe user needs the expert and vice versa”.
The users need to be educated and appreciative of the dangers lurking in their work environment. A pop-up warning is not something to be ignored or even scared of.
Simplified and concise knowledge of what the various paraphernalia, installed by the IT department, do is key. Such training will allow the user to better understand and notice irregularities, to trust and inform the IT Department timely and point them in the right direction. Mind you “this icon should be green” should not be considered simplified but rather dumbed down.
“This is my AntiVirus | Firewall | VPN client | OS Updates | […], it does […]” should be something taught and familiar for all users requiring a workstation to function. Such education becoming the norm, will fortify against social engineered attacks/phishing attempts as well.
Starting from the fundamentals makes more “convoluted” necessities & requirements easier to understand and not “just something the IT claims we must do”. Security should never interrelate with inconvenience in the users’ minds.
Clients’ Management & HR understanding and approving the above, will certainly be more amenable to go further down the rabbit hole with triple A controls, backups & recovery, encryption, masking, erasure police etc.
See you all safe and sound in the next installment!
Various tidbits and rumblings by Apostolis Drakakis
Any meme resemblance to actual persons and work conditions is purely coincidental.
