I fired my bank last week because I got tired of getting entangled in security systems that ensured I would be unable to access my online banking for days at a time, especially when I was traveling. My local branch manager said I was hardly alone in leaving the bank, and it's a good object lesson for what happens when security becomes overkill.
For the last decade, IT has been in a paranoiac state around security, and the result is a lack of perspective on risk assessment and correspondingly crazy security strategies. No one wants to make the wrong call on security - that is, allow a threat to succeed - so instead organizations increasingly decide to make only one call: put everything in the equivalent of a SuperMax prison, which simply institutionalizes a bad strategy.
IT's paranoia isn't driven from within IT only. Governments, businesses, and individuals alike are running increasingly scared about who's spying on them, who's manipulating them, and who's stealing from them. IT is often viewed as the organization to address those fears, the increasingly militarized technology police force.
Our connected, heterogeneous world is wonderful because we can easily move data and activities anywhere. We've gained several orders of magnitude of collaboration, productivity, and location independence thanks to these technologies.
They also make for a wonderful medium for criminals and spies to do the same. TheChinese government, the American NSA, Britain's GCHQ, Russian and Eastern European criminal gangs and corrupt oligarchs, and so on are well-knownexploiters of our connected world, as Edward Snowden has revealed. The same goes for companies like Google, Facebook, and the cellular carriers, plus marketing departments in all sort of industries, from media to retail.
As a result, we've had to be smarter and tougher about security measures since so much personal and business information now flows through the Internet (including the cloud), servers, PCs, and mobile devices. Often, we get tougher but not smarter about it.
If people have a less onerous option, they'll take it, as I did with my banking. If they don't have a formal choice, two options await:
- Work around the issues as best they can, which can be even riskier - for example, companies can block cloud storage and essentially force users to use less-secure, easily lost USB drives instead to carry data with them.
- Use the service much less or not at all, thus reducing productivity or other business benefit for which the underlying service exists in the first place.
In my former bank's case, it uses second-factor authentication (texts, emails, or calls) when you change your password or use a new device to access your account. In the online banking system itself, you have to use complex passwords that contain both capital letters, numbers, and special characters in addition to lowercase numbers (a common password requirement these days) - and you have to change them every four months, without reusing any of the previous 10. After four incorrect entries, you are locked out and have to call a representative during West Coast business hours to get unlocked.
Sign up for CIO Asia eNewsletters.