How can companies hope to protect their data – and how can we hope to stop identity theft – when we ignore the most basic protection methods? Peter Cochrane says: We can’t.
If you had to secure a new home against intruders on a limited budget, you might spend more money on the windows, doors and locks on the ground floor than upstairs. The rationale would be that the primary entry point is the ground floor, as it takes more effort to get a ladder and gain entry at the first or second floor level.
Is there an analogy here relating to all security systems? Should getting the primary level of security right – and then proceeding up the stack – be a key priority? I think so.
You might expect that in the electronic world efforts to secure computer systems would start at the most basic level. But it seems to me that all too often the converse is true. All the energy and effort is placed at the top level while the bottom end of the security chain is left wide open. Moreover, entry at lower levels can be most devastating and hard to detect, track down and rectify. Once the basic build is wrong, you’re in deep trouble.
This point was brought home to me recently through two incidents that led me to infer that inverted security thinking is not just commonplace, but may be the dominant mode.
The first incident was a meeting I attended recently with a major international organisation that had outsourced several thousand jobs to China, and even more to India, in order to realise huge operational cost savings. Having already provided low-level foreign workers with connections into the company’s infrastructure, the firm then asked the question: Do we have a security problem?
How come it didn’t ask this earlier? I suppose the people in the organisation who were hell-bent on cost savings had little or no interest, or indeed experience, in security. They went ahead and instituted the system before it came onto the radar screen of those who are more security-minded. What a cock-up! I suspect the fix will cost far more than any savings the company might have gained from offshoring jobs, and in the meantime the firm’s data is at enormous risk.
The second incident turned out to be far more fundamental and in my view far more dangerous – I had occasion to secure new birth certificates for my entire family. The reason was unusual and concerned the untimely demise of a family member and the slight state of chaos and disorganisation that ensued with our home-filing system, records and probate. By some fluke the most basic of information about my family, our individual birth records, had been misplaced.
I have always abided by the theory that if you lose something the fastest way of finding it is to buy a new one. So I was faced with the prospect of quickly securing new birth certificates. To my combined delight and horror, I discovered that anyone in the UK can get a legal copy of anyone else’s birth certificate with great ease. All you need is the individual’s name, date, place of birth, father’s name and mother’s married and maiden names. You have to furnish a reason for needing a replacement, your relationship to the person (which must be reasonable) and the princely sum of about £5. At no time during the process does anyone ask for a driving licence, passport, social security number or any other means of corroborating your identity.
What a fabulous opportunity for the corrupt and criminal-minded. A birth certificate is the first step on the rung of creating a duplicate or new identity. What was really fascinating was that I could also get a new birth certificate for the recently deceased family member, despite the fact that I had registered the death myself only months before at the same office. This is incredible – no checks and balances, no checking of identity. The system is wide open to abuse and just inviting exploitation. No wonder we have a growing security problem in this country.
Contrast all of this to the press and public paranoia about electronic security. As a result, people happily hand over their credit cards to someone they don’t know at a gas station, restaurant, public house or hotel (who could easily copy it). But they won’t use their card over the internet, which it turns out is the safest environment of all.
The word ‘crazy’ springs to mind. Sooner or later we are going to have serious problems in modern society because we have not paid attention to the ground floor of security and have spent all of our money securing the roof when we really need a decent front door and solid windows with good locks. Identity theft is becoming an epidemic that will only get worse whist we choose to be so lax about the most basic level of security concerning our very starting point – our birth!
Dictated at the Oxford Holiday Inn. Passed to my PA a week later via my home LAN. Typed version forwarded to silicon.com the next day via a company Wi-Fi link at Histon, just outside Cambridge.