Photo Credit: HealthGauge Flickr via Compfight cc
“When I was a child, I spoke like a child and thought and reasoned as a child. But when I grew up I put away childish things…” – 1 Corinthians 13:11.
“Just a spoonful of sugar helps the medicine go down.” – Mary Poppins.
So what have these two quotes got to do with IT security? Well, more than you would think. The spoonful of sugar used in children’s medicine was one of those enduring memories of childhood, making a cough mixture that was actually pleasant to take. But when we become adults, we find that medicine is provided au naturel; we can swallow a “bitter pill”.
Disney, purveyors of fine quality saccharin and candy floss for nearly 80 years, has continued in a practice of sugar-coating traditional tales in order to make them more palatable for children. Let’s take a couple of examples.
- In Rapunzel, Disney’s version sees the suitor releasing trapped Rapunzel from a tower after climbing down her own hair and living happily ever after. The Brothers Grimm had a very different take. Rapunzel’s hair is cut off and stolen by the wicked witch and when the Prince comes to rescue her he is blinded when he falls face first into thorn bushes. He wanders in this condition for years through the forest until he finally comes across Rapunzel and her tears repair his eyes; for the Grimm Brothers, this was a happy ending.
- Hansel and Gretel is even darker. With Disney the plot is sugared so that the children get lost in the forest. With the Grimm brothers they are abandoned by their parents due to a famine. When they finally escape and get home, their mother has died.
What is wrong with this view of life? Well, the original Grimm brother’s were meant to be cautionary tales to encourage children and adults alike to be aware of the dangerous world outside their door and to teach them to be on their guard. Would we need to have to warn our children of “Stranger Danger” if Disney was not selling such sugar-coated propaganda about the real world?
So what has this to do with the world of IT security? There is an ongoing challenge in getting a company and its people to be ready to deal with a whole slew of both technical and people-based attacks. These can range from phishing to Trojans, from DoS attacks to physical building intrusion. The primary outcome can range from a simple data leakage to a company grinding to a halt. The secondary outcomes are more unpredictable and can be far longer lasting; regulatory fines, loss of customer base or removal of licence to operate. Also, let’s not forget that your staff are your life blood. They are capable of reading the writing on the wall, making an educated decision and voting with their feet.
These are the kinds of messages that need to be emblazoned on the wall of reception as you walk through the company front door. You may say this sounds rather draconian. No, I don’t exactly suggest you hang the traitors from the front portcullis, but it might not be a bad idea to name and shame. Don’t sugar the pill, If your member of staff is breaking the rules, don’t let them go quietly with a package to save face for all. Go full guns and do it publicly.
If the message is that the infrastructure is so secure that nothing can get in; that the castle walls are high and impregnable, then the obvious result is complacency. The spoonful of sugar is applied and suddenly a new exploit comes out and it’s the firewall not the medicine that is going down. We have all seen the movies, we all know about castles. There is invariably a tunnel under the moat, “secured” by a rusty lock that allows the bad guys straight into the keep. What good are your walls now?
Let’s also talk stereotypes. The bad guys are not the megalomaniacs of Bond movies allowing our hero to get away and save the day. The bad guys these days are not male, not single and do not die at the end of the movie. They are multinational criminal gangs and even your own employees. They are an amorphous group of people with a mixture of unpredictable rationales for doing despicable things. Hiding this complexity behind a man in a striped tee-shirt carrying a bag labelled “swag” in your corporate training package is borderline moronic.
Your stats of how many of your staff have passed their security awareness training will not save you when 10% of them still click the link on the phishing email test. The offer of a new shiny object is more of a draw than the threat of a smack on the wrist. No, the answer is making sure everyone is continuously being challenged and made aware of breaches and the impact. Tell your employees like it is and avoid the complacency that is engendered when you sugar the pill.