Practical (Not Perfect) Security

Bramah Lock

For most of human history, locks were like speed bumps to would-be thieves. A good lock might take a few extra minutes to pick, but anyone who wanted in could get in. That all changed in the 1770s, when a man named Joseph Bramah invented a new lock that was more complex and more secure than any the world had ever seen.

Bramah’s lock was so good and he was so confident that he created a contest. He put his lock in the window of his locksmith shop and offered 200 Guineas to anyone who could pick it—that's the equivalent of more than $30,000 today.

Jeremiah Chubb improved on the lock, adding a detection system that alerted the owner when someone tried to break in, and for nearly three quarters of a century the world was held fast by the locks made by Bramah and Chubb. Security experts call this the era of “perfect security.”

Of course, anyone who works in security knows it’s just a matter of time before someone finds a way to break through. Many career thieves tried and failed to collect the 200 Guinea prize. Challengers made bold pronouncements. Observers placed bets. The house always won.

Then, in 1851, an American locksmith named A.C. Hobbs arrived at The Great Exhibition in London. Hobbs was in London to promote the Day & Newell Parautoptic Lock, but his sales method was not like the typical exhibitioner. Hobbs had built his career by traveling around the country to banks and opening vaults. It was a dramatic and effective technique. London offered the biggest stage and the most dramatic sales pitch imaginable—the chance to crack the uncrackable.

In one of the exhibit hall rooms where a real Chubb Detector lock was installed in a real door, Hobbs found the vulnerability in 25 minutes and opened the door. The handful of people who witnessed the event couldn’t quite believe what had happened. They locked the door and asked Hobbs to open it again. This time it took him seven minutes.

He then went to Bramah’s store to beat the famous lock. It took him 52 hours over nearly a month, but he did it, and with that great accomplishment, put an end to perfect security.

A recent 99 Percent Invisible podcast episode tells the whole story. There’s also an excellent article in Slate about Hobbs.

Since Hobbs beat the Bramah lock, no security system has proven itself invulnerable. We may never again see perfect security. But what about practical security? What steps should your organization be taking to stay as secure as possible?

Here are a few tips to keep the casual online thief or prankster at bay:

Strong passwords
Most cloud services now let you set a more difficult password strength requirement for all users. At a minimum, you want passwords to be at least 8 characters long, with a combination of upper-case and lower-case letters, numbers, and symbols. Of course, the most important element of password strength is secrecy. Even the strongest password is useless if you use it for multiple accounts, share it with coworkers, or worse, write it down on a post-it note on your desk. Loose lips sink ships! Password managers, such as LastPass, DashLane, or 1Password, securely store your passwords for all your accounts, letting you log in with a master password and two-factor authentication. However, you should be aware that these services are not immune to hackers themselves.

Multi-Factor Authentication
Many online services now let you enable multi-factor authentication—a login where, in addition to a password, you also need a randomly-generated security code, a PIN, or even a fingerprint scan. This ensures that, even if someone knows or can successfully guess your password, they still need your phone or fingerprint to access your data.

Firewalls
A firewall is an easy way to add a powerful layer of security. It can block unwanted downloads or potential threats.

Virus Protection
Malware (viruses, adware, or spyware) can cause a computer to lose access to the internet, corrupt important files, or compromise sensitive information. Make sure all of your organization’s computers have some sort of anti-virus software, which can detect and remove potentially harmful files. And, since this software can only protect your computer if you actually use it, make sure to schedule it to scan the computer automatically on a weekly basis and allow it to check for and install updated security definitions for newly-discovered vulnerabilities.

Physical Locks or Alarms
While most people worry about their online security when using cloud services, it’s equally important to consider the security of your physical hardware or onsite files. To start, do you lock up your office at night—with a deadbolt, not just the knob? Have you set a password for each computer? If you have a physical file server, is it locked in its own room, or does it just sit under someone’s desk (or worse, under the sink)? Is there an alarm if someone does break into your office?

Rules for How Staff Use Technology at Work
Many technology issues come down to human error and are therefore completely avoidable. While your staff members should only use their work computers for work purposes, we know that’s not always the case. Develop a set of guidelines for what employees can and can’t do with office equipment and make sure everyone understands these rules. While browsing Facebook is (mostly) harmless, and in some cases a part of someone’s job, if a staff member is using their work computer to torrent pirated Game of Thrones episodes, or visiting NSFW sites, they are potentially at risk of exposing their computer to malware. It is possible to block access to specific sites for all employees, but it’s best to start with an open conversation on what is and isn’t appropriate at your organization.

Unfortunately, most people will only follow these guidelines as long as they are convenient for them. Stronger passwords or two-factor authentication can be an easy sell, but when security policies make work less efficient, or your staff is confused or frustrated, then security usually gets left behind. The key to policies that people will actually adopt and follow is to find the right balance between good security and convenience.

 Image Credit: Wellcome Images, via Wikimedia Commons 

Have technology questions or want to learn more about how Tech Impact can help your nonprofit?

Search