The Internet has lost its innocence and a healthy mistrust is more than advisable nowadays as scams and spams attack anytime and anywhere. Certain media, such as email, is hit particularly hard.
In fact, emails are already so compromised that a lot of institutions, such as banks, explicitly disclaim sending digital messages to their customers. Banks usually try to avoid customers’ uncertainty, safeguarding them from having to assess whether an email they received comes from the bank or is a scam. Such a decision to forgo email communication is tantamount to surrender. However, the problem of reliability and safety is not easy to solve.
The Internet has become too complex and too many applications and systems are closely intertwined. In fact, the principle that with increasing complexity the uncertainty and the probability of error grow, applies to the Internet in particular. Errors may have even global implications, as exploitation of vulnerabilities in client software has already been proven many times with devastating consequences.
IT security is not just a matter of discovering vulnerabilities or defending attacks. The protection of information systems usually requires the intervention of various measures, such as the simultaneous use of several protection mechanisms and a constant adaptation of measures to change current circumstances. IT security is therefore not a static state but a process, strategically defining the security objectives of an enterprise and the relevant general framework, such as building a security infrastructure and risk management.
Based on a proper threat and vulnerability analysis, it is therefore essential to evaluate available security measures to then decide on their implementation, carry it out at the operational level and monitor with respect to its impact. This procedure equates to the usual quality standard approach PDCA (Plan-Do-Check-Act) and is used, for example, in the widely used standard ISO / IEC 27001 for information security management systems for applications.
Guidelines for data protection can provide a useful basis for security concepts as well, such as considering:
- Awareness: Participants should be aware of the need for security of information systems and networks and what they can do to enhance security.
- Responsibility: All participants are responsible for the security of information systems and networks.
- Response: Participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents.
- Ethics: Participants should respect the legitimate interests of others.
- Democracy: The security of information systems and networks should be compatible with essential values of a democratic society.
- Risk assessment: Participants should conduct risk assessments.
- Security design and implementation: Participants should incorporate security as an essential element of information systems and networks.
- Security management: Participants should adopt a comprehensive approach to security management.
- Reassessment: Participants should review and reassess the security of information systems and networks, and make appropriate modifications to security policies, practices, measures and procedures.
Even if we try to make the best of it, the Internet is and will probably always be an unsafe medium. The euphoria about its possibilities, its global data exchange, and the huge potential of abuses makes it dangerous. Integrity by default is needed for the sake of security. We all know that by now and should act accordingly.
By Daniela La Marca