Corporate Security

Security Vs Usability – Schooled By A Panda

A post inspired by a catalogue of teeth gnashingly frustrating technology traumas:

woman_pulling_hair_out10 minutes before I had to leave to get children to school and catch my train, I realised my phone wasn’t in my bag. Cue manic search round every corner of house, while pleading with 2 little girls to do teeth, brush hair and find shoes.

I came to the only possible conclusion, my other half (already en-route to work), must have thought it was his and picked it up. Having no corroborating evidence didn’t stop me from ffing, blinding (out of earshot of the kids) and drop-kicking a discarded soft toy, but there was nothing I could do (called both his phone and mine and neither was available – the joys of non-urban phone reception).

After depositing the offspring there was another wonderful moment. I remembered I’d bought my first e-ticket. You know, the ones you can ONLY use if you have your mobile with you.

keep-calm-computer-says-no-1On explaining the issue to ticket desk staff, they kindly allowed me to pay for a whole new ticket, telling me with relish (at least that’s how it felt at the time) it was strictly verbotten to find my electronic ticket on their electronic systems and allow me to use the product they could prove I’d purchased.

Then, after getting a much needed latte, I checked the departure boards – 9.30, London Liverpool St, CANCELLED. I was clinging to civility by a thread when I made it through the scrum at the customer service desk. I expressed my delight when offered an alternative route, arriving an hour later, changing trains twice and stopping at every godforsaken village between home and London.

Of course I couldn’t call the person I was meeting to let them know, BUT I did have my tablet to try email or Twitter…except I couldn’t. In true security pro style I have 2 factor authentication enabled on all of my accounts. “AHA” I thought, there is one rarely used non-Google account with just password protection. Chrome was unusable as authentication requests popped up every 2 seconds, so decided to install Firefox for android.

it-hate-technology-bite-tabletCouldn’t install Firefox for android as the download is hosted by the Play store, which I link to with…you guessed it…my 2FA protected Google account.

Started to eye up a loitering pigeon, wondering if I could catch it and tie a message to it’s leg, but plumped for the more traditional option of asking a very nice lady if I could borrow her phone. I flicked through downloaded mails to find his number, before realising I hadn’t used the device for a while. No authentication = No mail synchronisation. Yey!

In the end, the original train was reinstated and only slightly delayed. I also found out how to switch off the constant authentication requests, so I used Chrome to get to the non-2FA mail and got a message through about the delay.

All’s well that ends well you say. Kinda, if you discount the high blood pressure, upset caused to other station users as I swore my way through each technical roadblock and the damage to my relationship. When I got home I phoned my other half to vent my spleen, strutting round the house enumerating all the pain he’d caused, while not letting him get a word in edgeways. Then I stopped dead, all the wind taken out of my sails, there was my phone nestled in the arms of my daughter’s toy panda.

images (64)So here I am, waiting to eat humble pie with hubby, have a serious talk with my daughter, (she swore blind she hadn’t seen my phone, but at her age it’s entirely likely she forgot she’d lent it to Panda) and taking stock of ways to avoid a repeat of all of this.

This won’t be the last time technology designed to make life secure makes me sweary and stressed, but it could have been so much worse. What if there had been a family crisis? What if the meeting hadn’t been an informal catch-up? What if I’d ended up somewhere unsafe with no way to call for help?

There is a transferable lesson for all the security evangelists – don’t skimp on pre-project assessment of requirements and user acceptance testing when implementing new security controls. Do explore as many usage scenarios as possible and build in a way to deal with exceptions, acknowledging periodic muppetry and forgetfulness is human nature. Yes we need to mitigate the risk of data loss and device compromise, but does that outweigh the risks to productivity and safety of users? Controls can’t whip away the means to get work done in a timely manner and communicate.

Security aside, it also brought home how dependent I have become on my devices. How shuttered from the non-virtual world I can be for large chunks of the day. In some ways it’s karmic retribution for distracted conversations with my kids while updating my blog, working late, or tweeting about security. Retribution dished out by a forgetful 5 year old and a panda.

Want to add to the discussion?

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.