Consulting » IT strategy – The naked truth

Mrs Berry started getting worried when pictures of ladies in various states of undress appeared on our home PC. A hunt is on for the pornographer in chief. But the offending material is not the product of my late night surfing – honest, guv. It’s all to do with IT security (or my four-year-old has been clicking on dubious pop-up adverts).

Not only did our home PC security software expire some time ago, we also recently installed a wireless network but, like a third of all wireless networks in the City of London, left it unsecured. For all we know neighbours and passers-by could be using our broadband connection and PC to trawl the dark corners of the internet. Our PC became infested with spyware, malware and other nasties, and it has taken a few hours of disinfecting and encrypting to get it running properly again.

For the personal computer user, IT security breaches are mostly minor irritations. The consequences of IT security issues in business, however, are rather more serious than the occasional full frontal.

Hackers and viral threats are well known. Distributed denial of service attacks, where systems are bombarded with multiple messages (a bit like asking your computer to calculate the value of pi to infinity and seeing how long it takes to blow up) are on the rise. But, in general, most IT departments are pretty clued up about protecting against these direct assaults on systems.

But there are other ways for criminals to get hold of sensitive company information, without them having to hack into company systems – like buying it on eBay. In the past few weeks, company documents, passwords and customer credit card details have all been found on hard drives bought in online auctions.

In some cases, the previous owners – many of which were large multinationals – had made little or no effort to erase the data from machines before disposing of them. In a few cases companies had employed third parties to cleanse the disks for them, but still information was retrievable. “This is not embarrassing for us; it’s absolutely horrifying,” said one company.

The real weak link in IT security, however, is from within an organisation. Employees have a habit of making life easier for the cyber criminal. People are forgetful, so they tend to use passwords that are easily identifiable. The word ‘password’ is a popular and ill-advised choice, as are children’s names and birthdays.

Employees are also excellent at leaving sensitive documents and equipment lying around. Research among 900 black cab drivers in London suggests that more than 74,000 laptops, mobile phones and PDAs were left in the back of taxis in the past six months alone.

People also like to talk and so can be persuaded quite easily to give up all sorts of sensitive information. It is far easier for a hacker to call a junior employee of a large company, pretend to be head office and ask the employee for their logon details than it is for the hacker to try to directly break into a system.

Human beings are just too trusting. It seems they can even be tricked into divulging their most precious secrets to complete strangers on the street. Research carried out for trade show Infosecurity found that nine out of 10 people questioned were willing to part with personal information that could be used for identity theft.

Offering theatre tickets as a reward, researchers asked 200 pedestrians about their theatre-going habits. But in between seemingly innocuous questions about attitudes towards the theatre, the researchers managed to obtain information such as dates of birth, mother’s maiden names, addresses and school histories – enough information to open a bogus bank account in the respondent’s name.

Pushed further, no doubt those same respondents would have happily divulged their company user names, logons and security codes to the smiling survey takers in the hope of getting cut-price tickets to Chitty Chitty Bang Bang.

The capacity for people to fail to engage their brains before they open their mouths is astounding. On the train home recently a colleague on Financial Director heard a commuter talking on his mobile: “My user name is Al, my password is Fish,” he shouted down the phone.

In the face of such gaffs, the best IT security systems are no better than locking your front door only to leave your windows wide open. Perhaps it’s time for businesses to address the way their employees use and abuse technology rather than throwing more kit at the problem.