June 22, 2010 at 17:51When does web security get too much?
- Transfer
I have always been interested in the balance of “risk and profitability” within the framework of public safety: what level of risk is considered acceptable for maintaining efficiency and productivity?
Examples can be seen everywhere. Once, at an intersection in one of the cities, an accident occurs: a car knocks a child.
The public is outraged, city officials are going to a meeting, and here is the result: $ 60,000 is spent on installing speed bumps, fences and traffic lights at this intersection - even if it was obvious that the accident was caused by a drunk driver and was not related to the features of the intersection itself.
I understand why this is happening. People want to do somethingto relieve pain. However, what is the point of equipping one particular intersection with excessive security measures, ignoring all other intersections in the country?
These thoughts came to my head when I talked with a friend who works in a small company. He complained about a new IT professional who had come to work with them recently.
The first thing this guy did at the new workplace was to announce that their network was unsafe, and introduced new, completely draconian, protective measures. More employees do not have the opportunity to choose a password themselves; it is assigned automatically and consists of 12 letters and numbers, mixed up, which cannot be remembered. And this password needs to be changed every month.
He also blocked messengers and the ability to open email attachments, as well as YouTube and many other popular sites. That company, by the way, is engaged in the production of video content, which means watching videos on the network is an integral part of their work. In the process of all the innovations, this IT specialist made the work in the company uncomfortable, confusing and much less enjoyable.
Do you think that during the entire existence of this small video production company, have they had any incursions? No never.
The same story happened in a junior school where my daughter is studying. Using the school site, students can check what they asked at home, download various documents, etc. Recent innovations have greatly complicated this process: the password must be at least 8 characters long, consist of numbers and letters and not contain dictionary words.
And this is in elementary school!
The Times also recently strengthened its defense. Previously, to go to my page and accept or reject the comments of my readers, it was enough for me to enter my username and password. Now I need to find the SecurID key given to me; open a program for connecting via VPN, which works on my Mac every other time; have time to enter the password in 60 seconds, which is displayed on the key, until it expires; enter your ID; connect go to a secure page and enter another username and password.
I think everyone understands that I’m now moderating comments on my articles much less often! Do not think that I am complaining about my bosses (hello, boss!) - they have a lot of reasons to take care of the safety of working on the Internet - I just had to by the way.
I once read that air travel can be 100% safe. Yes, technically possible. But it will require the introduction of so many security measures, redundant checks, precautions and security policies that a plane ticket will cost $ 50,000 and no more than 20 flights per day will be completed.
Everything needs a balance. Anything can be done almost absolutely safe - by paying a huge price and in the process nullifying all amenities. Air transportation today has a good balance - in 2007-2008 there was not a single plane crash in the United States - and at the same time, airplanes fly constantly, and a ticket costs much less than $ 50,000.
I perfectly understand the motives of IT professionals: “I was hired to ensure security. If I can’t do it, they will fire me. Convenience and speed are secondary to me. ”
Perhaps companies should consider hiring OT specialists (to optimize technology), who will restrain the impulses of IT specialists. Someone who will say: “Come on, is this really necessary?”
Examples can be seen everywhere. Once, at an intersection in one of the cities, an accident occurs: a car knocks a child.
The public is outraged, city officials are going to a meeting, and here is the result: $ 60,000 is spent on installing speed bumps, fences and traffic lights at this intersection - even if it was obvious that the accident was caused by a drunk driver and was not related to the features of the intersection itself.
I understand why this is happening. People want to do somethingto relieve pain. However, what is the point of equipping one particular intersection with excessive security measures, ignoring all other intersections in the country?
These thoughts came to my head when I talked with a friend who works in a small company. He complained about a new IT professional who had come to work with them recently.
The first thing this guy did at the new workplace was to announce that their network was unsafe, and introduced new, completely draconian, protective measures. More employees do not have the opportunity to choose a password themselves; it is assigned automatically and consists of 12 letters and numbers, mixed up, which cannot be remembered. And this password needs to be changed every month.
He also blocked messengers and the ability to open email attachments, as well as YouTube and many other popular sites. That company, by the way, is engaged in the production of video content, which means watching videos on the network is an integral part of their work. In the process of all the innovations, this IT specialist made the work in the company uncomfortable, confusing and much less enjoyable.
Do you think that during the entire existence of this small video production company, have they had any incursions? No never.
The same story happened in a junior school where my daughter is studying. Using the school site, students can check what they asked at home, download various documents, etc. Recent innovations have greatly complicated this process: the password must be at least 8 characters long, consist of numbers and letters and not contain dictionary words.
And this is in elementary school!
The Times also recently strengthened its defense. Previously, to go to my page and accept or reject the comments of my readers, it was enough for me to enter my username and password. Now I need to find the SecurID key given to me; open a program for connecting via VPN, which works on my Mac every other time; have time to enter the password in 60 seconds, which is displayed on the key, until it expires; enter your ID; connect go to a secure page and enter another username and password.
I think everyone understands that I’m now moderating comments on my articles much less often! Do not think that I am complaining about my bosses (hello, boss!) - they have a lot of reasons to take care of the safety of working on the Internet - I just had to by the way.
I once read that air travel can be 100% safe. Yes, technically possible. But it will require the introduction of so many security measures, redundant checks, precautions and security policies that a plane ticket will cost $ 50,000 and no more than 20 flights per day will be completed.
Everything needs a balance. Anything can be done almost absolutely safe - by paying a huge price and in the process nullifying all amenities. Air transportation today has a good balance - in 2007-2008 there was not a single plane crash in the United States - and at the same time, airplanes fly constantly, and a ticket costs much less than $ 50,000.
I perfectly understand the motives of IT professionals: “I was hired to ensure security. If I can’t do it, they will fire me. Convenience and speed are secondary to me. ”
Perhaps companies should consider hiring OT specialists (to optimize technology), who will restrain the impulses of IT specialists. Someone who will say: “Come on, is this really necessary?”