• No products in the cart.

With Every Business a target for a Security Attack, are organisations Finally Grasping the Security and Data Protection Nettle or is the Issue Still Being Kicked Into the long Grass? by Rob Somerville

Picture comes from www.techweekeurope.co.uk

I have just had a very busy week. Security flaws were found in a major IT system prior to launch which was duly taken offline and a more secure temporary solution implemented and rolled out in double quick time. Fortunately there was no business or data protection impact, and we even managed to score a pyrrhic victory by getting the vendor to admit that this issue was indeed an issue, and they have gone away to think about solving it. I suspect though that the offending piece of software will ultimately end up as abandonware as the cost of really fixing it properly will be so prohibitive that the vendor will be forced to pass the costs on to the customer base, making the project financially unsupportable. Sadly, it was only a matter of time. Our IT department had valiantly raised our heads above the parapet on many occasions about issues with this particular vendor, but due to internal politics it was decided to carry on regardless. Finally the penny dropped, and it looks like a more appropriate technical solution may be rolled out sometime in the future. One for instance that will have a decent API, something that the vendor in question refused to provide as it was not in their commercial interests. They would far prefer to supply a proprietary integration solution at a cost of tens if not hundreds of thousands.

While I am happy that this issue is now being addressed, it is by no means a victory. It wasn’t until the weight of evidence was so overwhelming that the decision was taken, and so much pain could have been avoided if the professional opinion of IT had been respected in the first place. The problem comes back to the classic disconnect between IT and management – and the army of departments that want to live in their own little silo with technological autonomy. This is the danger when complex devices and systems are marketed in the same way as block box disposable consumer goods. Nobody wants to think about what goes on under the hood, and those that support and manage these systems are often regarded more as technicians than engineers.

In reality, the word engineer is derived from the Latin ingeniare (“to contrive, devise”) and ingenium (“cleverness”). The word technician is a modern construct. To start with, there is a lot of professional jealousy – often on the part of formally qualified engineers – when IT adopts the word “engineer” rather than “technician”. Woe betide the skilled programmer or developer who has not got a technical qualification to their name adopting the title “Software engineer”. This professional snobbery extends through the management layers, often with the mantra “Paper qualifications good – experience alone bad”. The most acclaimed and innovative piece of engineering in human history – the wheel – was invented at the latest be- tween 6500 and 8500 years ago. There is no record of the inventor’s gender, but I doubt if they had any professional or educational qualifications to their name.

No, the problem lies in the formalised, metricated, quantified, and qualified society we live in. There is no longer any creative space for the innovator, the idealist, the visionary or common sense unless of course they are will- ing to work within the strict confines of finance, regulation, management, censorship, or control. That is why whistle- blowers and creatives are in such short supply. If you have the right position (i.e. one with clout), you can apparently defy the laws of the universe – but only for a short while until you are found out. Then the PR mantra of “Lessons learned” and a “One off incident” are wheeled out, unless of course the regulator or the justice system bites and then you are really in trouble.

The Information Commissioner’s Office (ICO) has fined the charity British Pregnancy Advice Service £200,000 for exposing personal data to a malicious hacker via their outsourced website. While I have a great deal of sympathy for the apparent injustice of a charity being fined for a data protection breach, the disconnect is obvious. The trustees placed their trust in a third party who had no real loyalty to the organisation other than to provide a website, and knowing the extreme financial pressures placed on charities and the public sector, there would have been a very tight budget. So no room for penetration testing, a code audit or probably even a decent specification that took into account the data protection risks in such a politically charged arena. The BPA management team will have a harsh lesson to learn on pushing the envelope.

IT professionals have no such latitude. Systems are ruthless, almost psychotic in their level of unforgivenesses. A full stop in a wrong place in a line of code, an unreliable piece of hardware or a badly written specification document can wreak havoc. Never mind deeper logical issues, system complexity, and the hundred and one other pressures that the poor “technician” has to deal with. Good IT people develop a sort of sixth sense over time – call it intuition or whatever – that alerts them to danger. I continually have my leg pulled by colleagues at work because all my servers are backed up daily and every so often I check that the backups are valid. I will not take risks unless I have a plan B and preferably a plan C and D as well.

So I go home at night, put my head on the pillow and sleep soundly. What gives me nightmares though is the disconnect between senior management and the technologists – especially where you have a department in the middle that demands their own 3rd party system – and get it. My IT sixth sense knows that the true cost of that system – fully supported, patched and maintained – will be way above the negotiated and signed contract that is eventually agreed upon. So we have IT by committee, built to a price with excellence and worse case – best practice tomorrow. And when the wheel comes off, IT will be will be the first port of call to support a system as after all we are only “technicians” and surely it can’t be that com- plicated to fix. It is no wonder that in IT departments up and down the land, staff have major difficulty in resisting the urge to display banners above their desk that say “I told you so”. Hopefully the tide is changing. Organisations are beginning to under- stand. My engineer manager friend (who is convinced I am a technician) bemoans the lack of “engineers” and freely admits that this is due to lack of candidates willing to work for peanuts. Yes, the downward pressure on salaries is a short term problem, but the bigger long term problem is the cultural divide. Maybe if a few CEO’s and CTO’s sat down with their IT departments over a beer there would be less potential room for corporate embarrassment.

Rob Somervile

Rob Somerville has been passionate about technology since his early teens. A keen advocate of open systems since the mid-eighties, he has worked in many corporate sectors including finance, automotive, air- lines, government and media in a variety of roles from technical sup- port, system administrator, developer, systems integrator and IT man- ager. He has moved on from CP/M and nixie tubes but keeps a solder- ing iron handy just in case.

Article comes from BSD Magazine Vol 8 No.03
Issue 03/2014 (56)

Let us know, what do you think about such problem!

0 responses on "With Every Business a target for a Security Attack, are organisations Finally Grasping the Security and Data Protection Nettle or is the Issue Still Being Kicked Into the long Grass? by Rob Somerville"

Leave a Message

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013