Security and Convenience Don’t Mix
David Storch is a Product Manager and Principal Consultant at Atos and a featured guest blogger
In a press conference in March 2015 Hillary Clinton said ‘When I got to work as secretary of state, I opted for convenience to use my personal email account… because I thought it would be easier to carry just one device for my work.’ This statement is interesting for many reasons, one of which is not how exceptional it is, but how unexceptional, and how well it summarizes the prevailing sentiment about personal devices and convenience. Any number of people in business or government could have made a similar statement–it represents the thinking of government, business and individuals all across the world. Note that what is being referred to as convenient isn’t using a personal device or of using personal email, but of having to ‘carry just one.’
‘Convenience’ has always been one of the driving forces behind consumer success. The world may or may not beat a path to your door if you build a better mousetrap, but it definitely will if you build a more convenient one—especially one with WIFI that alerts you to a ‘trapped’ mouse with a real-time text, ‘Got one!’
But let’s consider the security and business ramifications of this attitude towards convenience by considering some hypothetical examples:
Homeowner: I didn’t lock the front door as it wasn’t very convenient.
Athlete: I skipped training as it wasn’t very convenient.
Surgeon: I didn’t wash my hands, it really wasn’t convenient.
Yet the sentiment expressed about ‘using one device for convenience’ is so common that I can practically see people nodding their heads as the statement was made. ‘Sure,’ people must have said, ‘that is more convenient. Who wants to carry two devices? Not me.’
And this, in a nutshell, is the problem. Security and convenience don’t mix.
Here’s a deceptively simple statement from someone who I think understands the problem.
“There is hardly any meaningful distinction to be made now between events in cyberspace and events in the physical world.” This is from Navy Adm. Michael S. Rogers testimony on March 4 before the House Armed Services Committee on cyber operations. There aren’t that many statements that are so concise yet so entirely describe a Big Problem.
To make this clear consider this bit of information: ‘The invasion will happen on December 7’. It makes no difference to its importance if this information were written on paper or received on a ‘virtual’ email. What matters is the information itself—written down on paper, or seen on an iPad. When people talk about an ‘information economy’ this is exactly what they mean—that value exists in words and ideas, and less so in turbines.
In fact, putting it on paper is far more secure (usually). Because I know where paper is, and I can lock it away, and I can burn it if I have to. But when information is virtual—where is it? How do I manage it? Can I ‘burn’ it?
Once upon a time important information was kept in filing cabinets, with locks on them, behind doors, behind walls, in guarded buildings, behind barriers that only let through one car at a time, with cameras trained on them. But today, just how well is the same very valuable information protected?
I’m not providing an answer but posing the question.