The generous locksmith

"Once upon a time there was a generous locksmith. He prided himself on providing the most secure, best tooled locks that money could buy. He also took great delight in proving the quality of his wares by promising his customers to take full responsibility for their security.

"The customers loved the locksmith. Every time they had something stolen, he would offer them a new lock. A cleverer lock. An unbreakable lock. Usually, it has to be said, a more expensive lock - but what price for security, eh? Especially when the locksmith was picking up the tab.

"In fact, over time, the locks had become so extravagantly complicated that the locksmith's customers gave up using their houses and their shops and just left everything lying about on the streets. It was easier that way, and the locksmith didn't seem to mind as he was working on a lock to secure all the streets too."

Forgive me the childish tale - I spend a lot of time with my two toddlers, and it seems to be rubbing off. The locksmith, though, illustrates the challenges facing the world of IT security. Individuals have been left in a world of glorious irresponsibility and unaccountability because time and time again technologists provide yet more solutions to what is, at root, a people issue.

With the power, connectivity and global reach of the tiny slabs of technology we carry about in our pockets these days, a sane approach to information security is to start with the individual. What are each of our responsibilities, why is it important, and what should we be doing to protect ourselves, others, and the organisations in which we work?

The waves of consumer, cloud-based social networking and file sharing services provide more options than ever for people to bypass the "proper" channels. IT folk can sometimes think this is due to stupidity, or maliciousness - but generally my hunch would be that expedience or lack of understanding are the real causes. If you make information security so onerous that it gets in the way of getting the job done, people will find ways to work around; information is like water.

Want evidence of quite how impactful putting even basic security measures can be on ease of use? Look at how two-factor authentication has been implemented by the big social networks.

While two-factor authentication as implemented by the likes of Facebook is hardly NSA-proof, it's the sort of measure that will stop the sorts of attacks that result from the harvesting of passwords en masse. Do the major consumer services enable it by default on accounts? Of course not - that would reduce sign up and usage, and anything that does that must be removed to provide a "friction-free" experience.

But if you actually try to enable two-factor across these services, it's usually a labyrinthine path that you will need to traverse to find, configure and turn on such relatively simple measures. In most cases the user experience is such that I can only conclude the companies involved have assumed that only power geeks will want to play.

Don't misunderstand me. I'm not saying that the layers of security that are required to protect valuable assets at the back end aren't important, or that we should drop all defences and turn technology into a free-for-all.

However, making the user experience of basic security measures palatable to the majority would be a great first start in improving our lot, and that user experience expands well beyond merely the technology.

The security industry, though, is great at selling new locks to our generous locksmiths.

Copyright © 2014 IDG Communications, Inc.

7 secrets of successful remote IT teams