There isn’t a patch for human fallibility and there’s no patch against human ingenuity. I attended an ISSA-UK event at Bletchley Park last Thursday and the contribution the men and women who worked there made to the war effort cannot be overstated – it’s estimated the codebreakers of Bletchley shortened WWII by 2 years.
The principles of information security are centred around confidentiality, integrity and availability and each principle is a balancing act between people, processes and technology. People are an organisation’s most important asset and yet the tendency is for organisations to go top heavy on the technology and processes at the expense of an effective security awareness training program.
In World War II, Hitler used the Lorenz machine to encrypt communications with his generals because he didn’t trust the Enigma machine. The latter used 3 rotors to encrypt plain text while the former used 12. In an ideal world, the Lorenz encrypted messages should have been unbreakable, but human error (retransmission of a message using the same encryption key) meant the allies were able to read all Hitler’s communiqués as if they had been written on a postcard.
Information Security is the responsibility of everyone in the organisation and an effective security awareness training program must be supported at board level and rolled out to employees, contractors and third party suppliers.