Since the advent of the interactive terminal and the beginning of computer security problems, new technologies have brought a continuing stream of new problems. We must welcome the technology advances but we can’t ignore the few downsides.
I think the first conflict between technology and security was the programmable function key. Some users entered their password under a function key so that hackers would press function keys on vacant terminals and one of them was bound to reveal a password (notes stuck on screens don’t class as technology!).
The next problem was the floppy disc, even more so when the smaller format appeared. A lot of data can be stored on a floppy and easily taken away undetected in a pocket. The equivalent amount of printed paper was far more difficult to smuggle! There is of course the joke of the man who sole wheel barrows…..
PCs were the next problem area. Before high sped local area networks became the norm, it was necessary to store working data on the local hard disc. This concept became so established that it still happens today, despite the networked servers. This made it easier to copy data to a floppy, but it also created a related problem of quality of data. It is frightening to think of all the business data that is in unknown locations, inadequately protected. Once bad habits become established, often by necessity in the beginning, they are very difficult to reform. This is going to be a major problem area with enforcing the use of the new security conscious systems.
Remote connectivity was the nest problem. People working from home needed access to central facilities, both data and applications. The password protection systems in common use internally could easily be extended to the remote log-in, but the management of such services is an extra chore and a remote connection, particularly dial-in, is potentially more vulnerable to hacking than a local one. In fact this is not true in terms of the magnitude of theft, since until recently 75% of theft by value has been perpetrated internally. But then comes the Internet and while the problems of security are similar to those created and solved by remote workers, the scale is much wider. Furthermore company employees are hardly likely to make malicious attacks, but the Internet has unfortunately generated a small set of twisted minded people who take great pleasure in destroying things. The uncontrolled expansion of PC networks in all organisations, with a dominance of software with an unenviable reputation for security flaws, coupled with the commercial need to connect and be connected to the Internet has created a perfect environment for these hackers.
However one of the most vulnerable areas is the lap-top PC. I am still convinced that only a small percentage of these machines could be business justified; many are status symbols and, frankly, executive toys. Even so they all load them up with applications and data, most of which is of little value. Some data is created within the lap-top, but some is down-loaded. I wonder just how much of this data is of business value and is it controlled? Stealing lap-tops is a common practice, since they are small, of high unit value and in demand. If a stolen lap-top can be sold for a few hundred Euros, I wonder how much the data would be worth in the hands of the right (or wrong) person? Fortunately most thefts are opportunistic, but the carelessness that accompanies most lap-tops is worrying.
All business lap-tops should be protected. A password should be essential to activate the operating system. This can be entered via a keyboard but there must be an increasing need for more sophisticated techniques such as biometrics (e.g. thumb prints) or smart cards. Simple password protection is probably not enough, since if someone can get in then they can access the data,. A more comprehensive approach is to encrypt the data itself. Software products such as SafeBoot work at the driver level and encrypt the raw data on the local hard disc. These products are supported by a central management server to regularly update and to handle lost keys. They cost about _ 100-200 for each lap-top, and yet it is only a small percentage of machines that are protected. It seems a false economy not to invest in security, if these lap-tops are of any business value that is.
Martin Healey, pioneer development Intel-based computers en c/s-architecture. Director of a number of IT specialist companies and an Emeritus Professor of the University of Wales.