LIA $FACTS$ for May 1998
View other months

---

Security

Transmission security has been in the news lately. We have noticed that there are groups of consultants suggesting that "sufficient" security can be achieved without encrypting every message, every file, etc. We think such advice is short-sighted.

The number one best security is not having anything anyone else wants to read or look at. Keep a low profile. Live under your means. Close the curtains at night and always keep the garage door closed!

But, let's say you are an international firm having offices around the world and many employees. Let's add to the scenario by making you a leader in your field. We assure you, someone wants access to your stuff! The number one method of protecting your information assets is not available to you.

So, how far do you go? If your only concern is access to documents that could be used in court, you probably can go partway as the consultants have suggested, making sure that correspondence on sensitive issues is approved and coded.

The reality, however, is that people can learn what you are doing to your detriment with documents that would be laughed at in court.

In the military, one is always reminded not to talk to unknown people and never to say anything at all about what one's unit is doing, even to family and friends. The popularly stated reason for this requirement is that "loose lips sink ships!"

All of your information is valuable and all of your correspondence is sensitive. Your competitor can tell what you are doing often just by monitoring the volume of encrypted email in and out of your site, especially if you only encrypt the important stuff. The size of communications and the people communicating give additional indicators of what is going on.

For example, let's say your stock has done well and you have begun discussion with your executive committee about approving a stock split. The mere change in the volume of traffic within the committee would clue people in, before appropriate, to what was going on. And this assumes that the traffic is coded. Uncoded traffic would be roughly equivalent to talking to a reporter!

So, what do you encode? Quite simply, everything. Your IS efforts should be expended to minimize the overhead on the system of coding everything. In time, you can start to adopt sophisticated methods of preventing even the volume and presence of traffic from revealing important information to the wrong people. You will also find, in the process, that the management diversion presented by trying to decide what to encode on an ongoing basis is far more costly than the cost of full-time security. And, it is always easier to continue the habit of transmission security than to initiate it.

Finally, applying Murphy's law, always expect a leak to occur and be prepared to deal quickly with the problems that result from it. Oh... and if it looks like there was a leak, there probably was!

---

Copyright 1998 Lohmann International Associates

You have been reading the online edition of LIA $FACTS$, the monthly fax newsletter of Lohmann International Associates. For further information, please visit our home page on the Web or send e-mail to Les Lohmann.

---

This page proudly hosted by BenefitsLink