Schneier: 'Blame firms not staff for security breaches'

Security guru Bruce Schneier has hit out at the trend of blaming staff for security breaches, suggesting it's companies which must always face the strongest criticism.

Schneier was responding specifically to an exclusive story on silicon.com last week which reported a social experiment in the City of London which saw free CDs handed out to commuters to ascertain whether they would blindly access them on their work machines, despite knowing nothing of the source or the contents of the CDs.

Why does the average computer user at a bank need the ability to install software from a CD-ROM? Why doesn't the computer block that action, or at least inform the IT department?

Although many fell for the sting, Schneier said the blame does not lie with the staff and he hit out at suggestions that such behaviour from employees shows disregard for security. "Employees care about security; they just don't understand it," he wrote on his blog, in response to the silicon.com story.

He added: "Computer and network security is complicated and confusing, and unless you're technologically inclined, you're just not going to have an intuitive feel for what's appropriate and what's a security risk.

"Technology changes quickly, and any security intuition an employee has is likely to be out of date within a short time."

However, Rob Chapman, founder of The Training Camp which ran the experiment, said Schneier's response is "muddled" and unrealistic. Chapman said he believes there are few excuses now for staff not showing common sense towards basic security threats.

Chapman said: "[Schneier] talks about how complicated security is and how it is constantly changing but I'm really not sure how complicated or how new a CD is as a means of installing software."

Chapman added that the CDs used in the experiment contained a clear warning about accessing them on a work computer which was obviously ignored.

However Schneier, CTO of Counterpane, said companies need to work harder to ensure they mitigate human error - even taking it out of the equation as much as possible.

Schneier wrote: "Rather than blaming this kind of behaviour on the users, we would be better served by focusing on the technology.

"Why does the average computer user at a bank need the ability to install software from a CD-ROM? Why doesn't the computer block that action, or at least inform the IT department? Computers need to be secure regardless of who's sitting in front of them, irrespective of what they do."

Schneier claimed education, touted by the likes of Chapman, is not the way forward as most employees will have undergone in-house training and attended security briefings where the information clearly "didn't stick".

However, Chapman disagreed, arguing such a suggestion is at odds with anything he's ever heard about in-house IT training, which often amounts to making a new hire sign a piece of paper which is then filed and forgotten.