Schneier: 'Blame firms not staff for security breaches'

Schneier was responding specifically to an exclusive story on ZDNet Australia sister site silicon.com last week, which reported a social experiment in the City of London which saw free CDs handed out to commuters to ascertain whether they would blindly access them on their work machines, despite knowing nothing of the source or the contents of the CDs.

Although many fell for the sting, Schneier said the blame does not lie with the staff and he hit out at suggestions that such behaviour from employees shows disregard for security. "Employees care about security; they just don't understand it," he wrote on his blog, in response to the story.

He added: "Computer and network security is complicated and confusing, and unless you're technologically inclined, you're just not going to have an intuitive feel for what's appropriate and what's a security risk.

"Technology changes quickly, and any security intuition an employee has is likely to be out of date within a short time."

However, Rob Chapman, founder of The Training Camp which ran the experiment, said Schneier's response is "muddled" and unrealistic. Chapman said he believes there are few excuses now for staff not showing common sense towards basic security threats.

Chapman said: "[Schneier] talks about how complicated security is and how it is constantly changing but I'm really not sure how complicated or how new a CD is as a means of installing software."

Chapman added that the CDs used in the experiment contained a clear warning about accessing them on a work computer which was obviously ignored.

However Schneier, CTO of Counterpane, said companies need to work harder to ensure they mitigate human error -- even taking it out of the equation as much as possible.

Schneier wrote: "Rather than blaming this kind of behaviour on the users, we would be better served by focusing on the technology.

"Why does the average computer user at a bank need the ability to install software from a CD-ROM? Why doesn't the computer block that action, or at least inform the IT department? Computers need to be secure regardless of who's sitting in front of them, irrespective of what they do."

Schneier claimed education, touted by the likes of Chapman, is not the way forward as most employees will have undergone in-house training and attended security briefings where the information clearly "didn't stick".

However, Chapman disagreed, arguing such a suggestion is at odds with anything he's ever heard about in-house IT training, which often amounts to making a new hire sign a piece of paper which is then filed and forgotten.

• Related stories

• Alerts

Add your opinion

1. Blame firms not staff for security breaches Alec Dunn -- 22/02/06

   I agree with Schneier, educating users isn't going to work.
   
   To an average user it doesn't make sense that the firm provides a PC with a CD drive then tells them not to put CDs into it.

   • Reply to comment
   • Report offensive content

   1. Kiwi Anonymous -- 29/01/08

      hey are you from NZ Mr Dunn?

      • Reply to comment
      • Report offensive content

2. Don't Blame, but Educate, Educate, Educate! Jan Philipp -- 28/02/06

   Although I agree with Schneier that "Computer and network security is complicated and confusing...", he completely missed the issue at hand.
   
   Most attacks originate on the inside of a company. Most security breaches come from social engineering which hasn't changed since the dark ages. The Point isn't the complexity, but rather the simplicity of these type of attacks. It is easy!
   
   - As easy as piggy-backing through a 'secured' door on a rainy day while fumbling for keys or a keycard, where a friendly (non)co-worker will hold the door for you.
   - As easy as dating an employee to gain access to information or company property.
   - As easy as chatting someone up about password policies and procedures in their company, after travelling together on the same bus to 'work' for about a month.
   - As easy as impersonating someone important on he phone during a minor crisis, like an office move, or new IT deployment, to gather information.
   - Or as easy as handing out a CD that someone 'curious' will stick into a networked computers CD drive!
   
   There is no fancy cracking, SQL-injection, Firewalking, privilege escalation, etc... involved here.
   
   There is nothing here that requires complex technology solutions.
   An IDS (Intrusion Detection System) or Firewall wouldn't have stopped this. No IPSec secure data channels were breached.
   
   It is the same misunderstanding many of our customers struggle with: They know they need security and look for a fancy high-tech solution, but that is not the answer.
   
   The only answer is continuing education to facilitate an ongoing corporate culture of security awareness!
   
   In the Roman Legion, a Decurion who was found gambling when he was supposed to be on guard duty was beaten to death by his peers.
   In a modern army, we had a less drastic KISS (Keep It Simple S....) approach to security, with ongoing education and awareness training about watching what you say to whom.
   
   So educate, educate, and educate again, because there should be no excuses about having basic 'common sense' security awareness, no matter how technologically complex the environment gets.
   
   -- Jan Philipp, MCSE:Security, C|EH

   • Reply to comment
   • Reply to story
   • Report offensive content

   1. hey dude.... Jimbo -- 07/03/06

      ........ what's with the MCSE ? ....
      
      Like, why not say something that hasn't been said a gazillion times before? A simple rehash just won't cut it.
      
      In other news, water is wet, fire is hot!
      
      Well, can't expect tooo much from a MCSE "security" cert I suppose.

      • Reply to comment
      • Report offensive content

3. Business Copout.... Jeff Davis -- 24/01/08

   Schneier is totally correct. If users do not understand the importance of the security it has to be the employer or business which takes responsibility for the lack of insight.
   
   It is not the security and complexities which defy the policies set to protect the business but the lack of awareness of the critical nature of commercial impacts that security policy failures to educate.
   
   The corporate approach to security has for more than a decade failed to provide realistic or sensible measures while relying on technical guidelines and bulky instruction documents and placing the responsibility on the staff to meet the expectations of the business. It is always going to be difficult for staff to accept the importance of something to which an employer is unwilling to invest appropriately in.
   
   Within Australia, the courts have already set all the required precedents to establish that liability and responsibility rest completely with the organisation and not the staff unless the policies developed are fully enforced and required restrictions of use are actually in place.
   
   The answer is, as Jan Philipp has clearly articulated, educate and engage with employees to make them stakeholders in the integrity of the organisation.

   • Reply to comment
   • Reply to story
   • Report offensive content

• Just In

• Most Popular

• Most Discussed

Hot Spot - What's Important

Achieve continuous availability with high performance NonStop blade technology

Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.

Download Your Microsoft Unified Communications Fact Pack now.

Microsoft Unified Communications - Take your Self Assessment Today.

Reader Services

Popular Topics

Essentials