When too much security means less security

In December, my local BBC News station showed an interview with a head teacher, who’d had to crawl across a sloping playground, covered in black ice, to send out a text to let parents know the school was closed. Which surprised me because he was using one of the systems that allows you to send out the message from a website. And it made me realise that the school had a security problem. Why? I’ll explain later…

There’s no doubt that information security – whether that’s us as individuals keeping an eye on our own personal information, or the huge amounts of other people’s personal information that seems to flood our systems/inboxes – is a hot issue at the moment. According to the Information Commissioner’s Office:

  • There are new stricter penalties faced by organisations for losing/disclosing personal data - fines up to £500,000
  • In the last two years, 800 data security breaches were reported to the ICO
  • One quarter of data security breaches were the result of mistakes
  • One third were the result of theft, often of an unencrypted portable device

And since January, the ICO has reported on loss/disclosure of sensitive personal data by a wide range of public sector organisations, including Highland, Warwickshire, St Albans City and Lancashire Councils, the Southampton University Hospitals NHS Trust, and even the Association of Teachers and Lecturers.

The Becta Data Handling Security Guidance continues to be updated on actions for schools to comply with the Data Protection Act – including more clarity on what constitutes ‘sensitive personal data’, which now includes individuals’ ethnic origin, as well as a range of SEN information. (The jist of the advice is that it would be unwise for ‘sensitive personal data’ to leave the school - eg on a SMT laptop/USB stick/printed report - except in the most exceptionally secure circumstances).

Lock everything down?

So there’s no doubt that improved security systems (eg encrypting every staff laptop with Windows BitLocker) makes things more security, and gives you less to worry about. But there is definitely a point where more security measures, and especially the imposition of these onto staff who don’t buy in, can actually lead to lower security.

I read an excellent article “Please do not change your password” on the Boston Globe which carefully works through the argument. You should read it yourself in full (unlike most ‘IT security’ articles, it’s an easy read) but here’s some of the things I took out of it:

  • Asking users to regularly change online passwords may not make any difference to security
  • Users still write passwords down and stick them on or in their desks
  • All too often, users are being asked to take too many security steps, where they don’t see the value
  • Noncompliance with security systems may be a problem caused by the experts, not the users, because security professionals aren’t always justifying their recommendations with a sound case to users or others
  • ‘Bullet-proof’ passwords should be the first line defence, and ‘one-time’ measures the next step – like anti-virus and anti-spyware protection (with automatic updates)

And it left me wondering “Which is more secure – a different password on every website/system, or a small password series which I can remember, with unique ones on the really important websites, like my bank?”. At least I don’t need to write down the second option!

If you want to know how your users think, then the comments on the article provide a great starting point to understand the range of views. I sympathised with ‘aldopignotti’, who wrote “We have to change our passwords every three months, which isn't a big deal EXCEPT we have three separate systems with three different set of rules. Also, there are six other systems that don't use network passwords so if I want to have one corporate password, I have to change it in nine different places.”

So next time you’re thinking about enhancing your network security, maybe making security easier for your users would be the biggest improvement to your system security.

Back to the head teacher at the beginning of this story. How did I know the school had a security problem? The reason was that the head had to leave the comfort of his home, and his broadband connection, to travel to school through snow that closed all the schools in his county, and then crawl on his hands and knees across a treacherous playground. So that he could log on to a website. Why? Simple – the password was written on a piece of paper pinned on the notice board in the school office. (And what’s the betting that some of their other system passwords were stored in the same way?)

Comments (0)

Skip to main content