Blog

Information Security Behaviour Does Not Change!

Twenty years ago, when I started IMSEC, the Internet was still young, WWW had only just been born (OK, it was four), and there were actually many offline computers. I owned my first cell phone, and my car hardly had any electronics.
Information security, so I thought, should acutally be an easy problem to solve. Just make an inventory of the computers you use, of the data that’s on them, and of the value they have to you, and act. Add some measures to protect what you want to keep, and be prudent when taking on new stuff, but by and large, that’s not that hard, is it?
I was wrong. And I was right.
I was right in the approach. Actually, if you would do such things as to inventorize your assets, and then protect them individually and collectively, and would actually keep protecting them, your information security would be a given.
But I was wrong in the assumption that people would actually do it. I was wrong in the assumption that individuals would actually want to know about all the data they have, where they keep it, and what it’s worth before they lose them. How often have I had complaints like „my computer does not work anymore… how do I get my data back?“ and „I lost my phone – is there some copy of my data somewhere?“ I used to help individually, and still provide what I can to ease such pain. Also nowadays much has been solved by automatically created backups (e.g. the iCloud or Google Photo upload), but what has not changed is that people do not occupy themselves with thinking about potential trouble beforehand.
So is it bad that they don’t? For a long time, I thought so, but actually, no. Someone who just relies on technology to work, to be reliable and resilient and data to be recoverable without any ado, is actually right in his expectations. Technology can solve these problems (mostly), and it’s people like us (the technicians and infosec managers) who are challenged to actually provide such solutions as part of a standardized behaviour. So that normal people can just rely on technology, and on us, what are behind them, like an invisible guardian angel.
Society needs us, the information security nerds. So that everyone can get on with his own life hakuna matata style.