… not Microsoft, not social media tools, but: PEOPLE.
A recent blog post by Dave Snowden and some commentary by Luis Suarez have reminded me of something Bruce Schneier said a while back (in 2004, actually):
Since the beginning of time, people have always been the biggest security threat. That hasn’t changed because of computers. People are why firewalls are invariably misconfigured. They’re why social engineering works. They’re why good security products are rarely deployed properly. Securing the computer and network is hard, but it’s much easier than securing the person sitting on the chair in front of the monitor. (emphasis is mine)
In his commentary, Luis makes an interesting point that social networking – not the tools, but the activity – may be in part responsible for these types of lapses in security and uses it as a teaching point.
And, for once, social networking didn’t have anything to do with it. Oh, did it? Well, perhaps it has got plenty to do with it!; after all, don’t social software tools encourage us all to listen to what’s happening out there? Maybe they will also help us understand how we can mitigate those perceived risks by having each and everyone of us walking the talk, i.e. behaving responsively with the information and knowledge that we are exposed to, and share across accordingly, day in day out, for that matter… You wouldn’t want a total stranger to know, coming out right out of your mouth!, your full credit card number, your date of birth and any other kind of identification material, right? (emphasis his)
In the military this is called OPSEC, or Operational Security, and it is drilled into soldiers’ heads almost daily. It is, in other words, a way of life.
On the other hand, there is a fine line between appropriate security and being paranoid. With an understanding of what you really need to protect, and what is not so vital, and a bit of thought, you should be able to find that line.
And it is a line that you need to find.