According to the Guardian's Kate Connolly, "German politicians have been accused of robbing youngsters of one of the small joys of childhood after announcing plans to ban the Kinder Surprise chocolate eggs, on the grounds that they are a safety hazard." What do Kinder Surprises have to do with IT security? Well, not very much really. I simply wanted a chance to be able to share Charlie Brooker's extremely amusing assessment of the situation.
Actually, maybe there is a moral to this story that can be related to IT.
Should Germany decide to press ahead and impose a ban, it would undoubtedly be
a somewhat silly decision - and possibly an ill conceived knee-jerk reaction to some isolated event. Sure, maybe the toys do represent a choking hazard, but then so do numerous other small items that can be found in the majority of homes. Should it not be left to parents to decide whether Kinder Surprises pose an unnacceptable risk to their children's health and safety? Would it not be sufficient to simply place a warning on the wrapper?
Similarly, businesses all too frequently make equally silly, knee-jerk reactions when it comes to security. For example, when the press reports that use of social networking sites during working hours is costing UK industry $13 billion per year, too many businesses simply rush out and buy a web filter to block access to those sites. Now, I'm not for one moment suggesting that businesses shouldn't use web filters; rather, I'm suggesting that they shouldn't rush out and buy one until they have actually assessed the situation.
In his article Computer Security, It’s Not About the Software, Ben Rothke proposes that businesses adopt a 12 month moratorium on the purchase of security products. Ben justifies his position as follows:
"A one-year moratorium on the purchase of security products would stop the vicious cycle of buying products simply because they are seemingly cool. The suspension of purchases would give organizations time to focus on their core security issues and enable them to remove the masks of security that the security products provide. Since organizations could no longer purchase products, they would be forced to confront information security head-on and create the necessary infrastructure changes that would ensure that corporate data assets are appropriately secured."
While I don't necessarily agree with Ben's opinion (if a product can indeed improve your security, then why wait to deploy it?), he nonetheless makes a valid point. Too many businesses spend too much money on security products when that money could be better spent on training staff to use properly use existing tools and raising employee awareness. As Ben points out:
"Even if there were no firewalls, it is not as if there would be no security on the network. Routers and switches, file servers and network appliances have security functionality. If organizations would start to use that base functionality correctly, it could provide far more security to their organizations than a poorly configured firewall could have."
To go back to the social networking example, before rushing out and buying a web filter a business should ask,"Do the benefits of social networking outweigh the risks? Could this be better dealt with through training and policy? What other risks are associated with unrstricted web access?" Armed with the answer to those questions, a
business will be able to make an informed decision as to its best course of action.
Ultmately, security is about the people. Spending the budget on training those people (both IT staff and end users) will ultimately improve security far more than the latest over-hyped "Gartner Cool Vendor" product.