 |
| Image from Unsplash |
The motto of the 2007 film K3 and the cat prince is: cannot can’t be. The Belgian/Dutch girl group K3 aims at children as its audience. That same audience sometimes shouts at home: “I can't do that”. But if they have seen that film, then as a parent you can make appropriate use of that motto for quite a long time.
This can be a bit more difficult for adults. We are
currently in the process of implementing some additional security measures that
will affect all users. The first is that you have to enter an extra code when booting
the laptop, the second measure is that Webex (our video conferencing system) will
be equipped with multi-factor authentication (more about that later). A pilot
group was set up to test the extra startup code. This has resulted in some
outspoken reactions: I can't do that! I don't want to participate in that! I'm
about to retire! I have the memory of a goldfish, I immediately forget that
code! I don't have time for this!
On the right you see the Can/Want matrix of vocational expert Hanneke Tijken. That matrix divides humanity very clearly into four groups, based on whether they can do something and whether they want to do it. People who can solder, for example, and who also want to, can easily be used for a soldering job. If someone can solder, but doesn't feel like it, you might be able to convince them to do it anyway. Still others, who would like to do it, but can't solder yet, can take a course. At the bottom left of the matrix you have a problem. There are the people who can't do it and who don't feel like it at all. Getting these people to solder would require a disproportionate effort. That is why – somewhat pessimistically – the word 'lost' appears in that quadrant: if budget and time are limited, then rather spend them elsewhere.
This matrix also applies to information security. Because
there too we have to deal with people who want or don't want something and
people who can or cannot do something. Sometimes people just think they can't
do something, and not wanting to can be based on incomplete information. If you
can explain why something is necessary, then you can convince those people.
Just like you can teach people something with a tip, trick or course.
The colleagues quoted above are clearly not in the top
right quadrant. They uttered can't-statements as well as unwilling-statements.
With some statements, you might suspect that they both can’t and don’t want to.
But I don't want to consider anyone lost on the basis of a vague suspicion.
I've been making a strong case for years to keep everyone on board. And it is
especially important with the upcoming changes, because they are really going
ahead.
Where are you in that matrix? Especially for the people
on the top left, I'd like to explain what's going on. The first adjustment, the
extra boot code, is necessary because research has shown that the security of
our laptops is not as good as we thought. This will be restored with this
adjustment, so that our business data is also safe if your laptop ends up in
the wrong hands due to loss or theft. The second change has to do with the fact
that we will soon be using Webex for more than only video conferencing: we are
going to chat, share files and scribble on virtual whiteboards with that app. Video
conferencing is volatile: what you hear and see there is immediately gone.
However, chats, shared files and whiteboards will be saved – outside our own
data center, that is. We must take additional steps to ensure the
confidentiality of that information. We want to make sure it's you when someone
wants to log in with your user ID, and that’s where multi-factor authentication
kicks in: the first factor is your password, the second is an app on a mobile
device which constantly generates new codes. When logging in you have to enter
the code that the app shows at that very moment. Elsewhere, those same codes
run along on a system, and when you use one, both codes are compared to check
whether you really entered a code that corresponds with your device. In this
way you log in based on something you know (your password) and something you
have (the mobile device with the app linked to you): multi-factor! The entire
process of checking whether it is really you is called authentication.
The pilot also generated positive reactions. I like this
one the best: “It was not too bad for me, it only took five minutes!” And I
actually expect that the largest group of users will just sigh and then take it
for granted.
Finally, an inspiring quote. At the town hall of Vaals, a
town in the very south of the Netherlands, there’s this Latin inscription: nil volentibus arduum. Which means: nothing
is impossible for those willing.
This blog post has
been translated from Dutch to English by Google and edited by the author.
And in the big bad world…
This section contains
a selection of news articles I came across in the past week. Because the
original version of this blog post is aimed at readers in the Netherlands, it
contains some links to articles in Dutch. Where no language is indicated, the
article is in English.
- John Oliver apparently read last week's Security (b)log and made a program about trading our data.
- Germany
is positive about a new Google button that allows you to reject all cookies. [IN DUTCH]
- the tax
authorities in the Netherlands have received a hefty privacy fine for keeping a
blacklist. [IN DUTCH]
- your data and processes in the cloud may just be unavailable for a while.
- an
'Order now' button does not imply and obligation to pay. [IN DUTCH]
- this malware hijacks your call to your bank's customer service.
- the
European Parliament has approved new rules for data exchange with countries
outside the EU. [IN DUTCH]
- chat apps also
want to be updated again and again. [IN
DUTCH]
- a
German hosting provider offered its customers a twenty euro voucher for the
loss of data. [IN DUTCH]
- your
Lego bricks may be on the street. [IN
DUTCH]
.jpg)
No comments:
Post a Comment