A long time ago …
I was asked to play intelligent hacking nerd for an insurance company. They were willing to spend 50.000 guilders, a lot of money at the time, to set up (inter)net security. The web was rather young, firewalls did exist but were rather “new”, and the percentage of inhabitants involved in hacking activities higher, as they had been part of the first wave of colonists. The porn boom would start soon after.
With all the private data kept on their intranet and in the insurance companies’ building, doing something about “security” seemed not such a bad idea. Of course, disconnecting the network from the internet would have been the cheapest solution. Nevertheless, for reasons unknown to me, they desired intranet and internet connections.
The meeting started, and I informed the very serious Men In Black in the meeting I would walk around a bit. As a geek that’s socially very acceptable. I am not to like conversations involving negotiations about monies changing hand as a result of putting on my “tricks”.
The building had several floors, with a staircase in the middle. The staircase walls were made of glass. There was no guard or desk downstairs at the entrance of the building, or on the floors.
The people on the work floors were quite happy to answer questions about things I noticed, such as: “Why are some casefile covers red, and some yellow, green, white, blue? Well, the red is filled with cases of people that are asking for money – because they are ill, had their house burgled or burn down etcetera. Cheerfully the person showed it to me, and opened the red casefile to illustrate what he was explaining to me. I smiled and thanked him.
I went back to the management floor and meeting to go for lunch together. We walked over the floor towards the unguarded stair case doors, because the company restaurant was on a higher floor. I was asked if my walk-about had been interesting and what I had discovered. In front of us a man walked through the door to the staircase, and downstairs to a lower floor (or perhaps even out of the building). As his head disappeared and we moved towards the staircase for going up, I asked, “Does anyone know where this person is going? He might even leave the building with that private data under his arm. Who would know? There is nobody downstairs …”
Security needs to be placed in a landscape, the people on the work floors have lots of knowledge and wisdom that we can tap into, and are very willing to work with you for setting up a sound security strategy!
The management team went into chaos, aware their chosen strategy was not “minimax” (minimum effort, maximum impact).
This may be the “right thing” to do, and can work well for pull marketing purposes where you have to present yourself as “trusted authority”. What is outside of our power is how response able potential our customers are. If they are, they will appreciate our elegant straightforwardness (and having been saved from spending 50.000 guilders on something that does not make the system secure), and perhaps involve us for setting up a sound security strategy. If they are not, maybe they feel too embarrassed about such a major “overlook” and do not wish to be reminded of such a painful moment. I never heard from the insurance company again.
- Boom and bust – the intranet life cycle ” manIA (10/3/2010) (patrickcwalsh.wordpress.com)
- Intranet Trends for 2010: How Far We Have and Haven’t Come (cmswire.com)