11 December 2014
I returned from a business trip to Berlin yesterday in the late evening. In the morning I presented the results of the threat analysis of a complex application, which we performed in the past weeks, to the application steward. To be honest, I am not fully satisfied with the outcome, although we agreed in a lot of protection packages to secure the database and the application layer. Some of the weak points, e.g. the access from the users to the application server and the distribution of the software to the user Workstations, are still not sufficiently mitigated.
Later in the afternoon I found an email titled ‘The human factor a key challenge to information security, say experts’ in my inbox.
The key message of the study discussed in this report is:
“People will always be the most vulnerable part of any organisation’s information security, because people make mistakes and they are easily manipulated.”
Yes, I fully agree! But software suppliers, who deliver bad configured software, and business leaders, who constantly run IT cost-reduction programs, contribute also substantially to this security problems.
People who use complex software to run complex business processes create more help-desk calls and support effort than people who use office applications only. But cost cutting programs are not aware of this trivial insight. From a pure economic point of view such applications does not exists, although they may contribute substantially to the success of a company.
IT groups are doing a great job in automation of support processes to deliver fast and high quality support to their users. Unfortunately, security suffers under cost pressure. If the number of complaints of e.g. low performance of an application is large enough IT groups are far too ready to define exceptions from security standards. But exactly this self-made vulnerabilities could be used by attackers to get access to the computers in a company…
Sony is everywhere!