Information security: Beyond firewalls and passwords
However, one thing that we need to be concerned about is the seriousness of cyber security risks. It is no more limited to the configuration of a firewall or securing our passwords. The consequences of a breakdown in security extends beyond the military and business organisations, to societies, and even ordinary citizens
The first time I encountered computers was in 1990 at the National Institute for Information Technology (NIIT), Pune, India as a student. There were no fancy screens, instead there were but huge room-sized servers and small desktop machines called terminals with a blinking white cursor.
It was a bit scary because I started COBOL programming (remember the Y2K) without any pre-understanding of what a computer language was. For me, information security, then called computer security, was mostly confined to advanced technical warfare, such as military or Star War movies.
I remember how thrilled we were when we heard about the computer virus called ‘Happy Birthday Joshi’. The story we were told was that people forgot Joshi’s birthday; he got annoyed and developed a virus that flashed the message on many computer screens. With the passage of time, I learned about other viruses such as Trojan — camouflaged as a useful application - time bomb and many other with catchy names.
I gained some more understanding of computer security. As the name suggests, the focus of security was technical. Well, it is important to mention that a password was a big thing at that time. However, I suspect that 90 per cent of the administrators’ passwords might have been ‘admin123’.
It probably was because this was the default password that came with the software. I still remember when I visited some computer centres, I could see the green carpet on the floor and a signboard ‘please take off your shoes’. I used to think that the shoe dust carried computer viruses. Later, I learned that a virus is nothing but a programme code that can attach itself to other applications and create some malfunction.
Later, I started working as a system administrator at an Internet Service Provider (ISP). As part of my duties at the ISP, I used to visit corporate offices to install mail servers and internet connections. The challenge I faced was with less trained personnel who were not aware of the consequences of disclosing their emails to everyone.
Whenever they had problems, they used to call service providers with all administrative authority, who had the opportunity to exploit their information.
When I switched my job from the ISP to a commercial bank, I tried to draft some organisational policies to secure banking information.
The context was also different, and the sensitivity of the information was high. The point that I want to emphasise is the importance of formal rules and regulations in information security. I learned that just installing sophisticated software/hardware is not enough if the organisations do not have informed personnel and formal rules and regulations. Even when there were standard policies, they were seldom implemented beyond changing passwords. This was at times rendered ineffective: I remember people used to write their passwords on post-it notes or on their tables.
Fast forward to 2002, when I was planning to pursue higher studies. The world was getting more digital, more connected and ironically more corrupted digitally. In keeping with the times, computer security got a “promotion” to information security.
Came into vogue: cyber security.
I used to think perhaps if we have advanced devices and strict policies, it might reduce cyber security risks. But we need to understand that information security was not just a matter of military warfare or organisational data protection but interrupting and intruding into people’s lives.
For example, news of identity theft, stealing credit cards and cheating individuals online started to spread. My visits to countries such as South Korea, Sweden and Norway broadened my information security perspective. I realised how important it was to educate citizens about information security and its consequences. In today’s world, information security encompasses technical systems, formal systems and social systems.
Unfortunately, this is not understood. Take for instance my recent experiences when I visited a reputed commercial bank in Nepal in February. The manager and front desk people exchanged the administrator password by shouting it out in public.
To address the challenges of information security is difficult in both the developed and developing world. However, the challenges that we face in the developing countries are at different levels. For example, we are technologically dependent on the developed world; the information infrastructure that we are creating is unplanned and unorganised.
There is a possibility that the infrastructure that is not well thought out is vulnerable.
So where does all this leave us?
Digitalisation has many good sides. For example, online education can include poor and marginalised people; telemedicine can be a boon to remote and mountainous villagers; digital governance can help the government reach out to citizens; likewise, e-Commerce platforms can broaden our access to international markets.
However, one thing that we need to be concerned about is the seriousness of cyber security risks. It is no more limited to the configuration of a firewall or securing our passwords. The consequences of a breakdown in security extend beyond the military and business organisations, to societies, and even ordinary citizens. Therefore, the question arises, are we technically, formally and culturally ready to cope with the emerging paradigm of digital transformation? Are we capable of differentiating between good and bad use of information? Above all, are we aware of information security as private or public agencies or responsible citizens? If we do not start thinking now, there will be less time remaining with us to rethink.
Thapa is a professor in Information Systems, University of Agder , Norway