Security: Never Mind the Products, Educate the Users

If they could change one thing to improve IT security, the assembled experts on a panel at Cebit would better educate their users.

If they could change one thing to improve IT security, the assembled experts on a panel at Cebit would better educate their users.

"Education is important: We're all too naïve," said Eddy Willems, global security officer for G Data Software, speaking in a panel session on security during the Cebit Global Conference, part of the Cebit trade show in Hanover, Germany, on Wednesday.

"People need to take security seriously. We can do a lot at a technological level, but if they choose a weak password, they are at risk," said Joachim Schaper, vice president of research at AGT Germany, which provides physical, as well as IT, security services.

Richard Marko, CEO of ESET, an antivirus software vendor based in Bratislava, Slovakia, would rather users kept their data where his desktop security products can see it: "I wish users would think twice before they decide what it is appropriate to put into the cloud," he said.

However, improved user education can only accomplish so much: IT systems developers also need to make systems simpler to use safely.

"If you want millions of people to use a service, it needs to be easy, without the need for them to install more software," said Georg Rau, senior vice president at Deutsche Post, another panellist.

But the obligation isn't only on customers to learn: it's also on suppliers to inform. Buyers can't make educated decisions about how to set up and run their IT infrastructures unless vendors supply them with the necessary information.

Nowhere is that more the case than in the market for cloud computing services, where vendors vaunt the fact that their customers don't need to know how things work.

"We need transparency from cloud computing providers. We should know how their systems are organized, and we should know about the people they hire," said Natalya Kaspersky, chairperson at Kaspersky Lab.

She wants to see more transparency in such services, and better standards for security practices, so that customers can evaluate service providers.

"If the level of security and transparency is very high, I may be willing to pay more. If I don't care about security, I can pay less. But I should have that choice," she said.

Schaper drew a comparison with the automobile industry, where manufacturers spend millions conducting crash tests to demonstrate the safety of their vehicles. Because the tests are standardized across the industry, the results can be compared: That's important, he said, because safety might be a decision factor when purchasing a car.

While the vendors of IT systems in general, and of security products and services in particular, do conduct tests of their products, these are not always directly comparable, Schaper warned. "If you go to other providers, they might have a different standard," he said. "It still needs a lot of work from vendors to make these tests transparent and standard."

The chairman of the panel session, Martin Gutberlet of analyst firm Gartner, came to the same conclusion.

"There's still a lot of work to do on standards and certification" of security practices, he said.

But, he wondered, "Are we willing to pay for it?"

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

Join the discussion
Be the first to comment on this article. Our Commenting Policies