Learning from UN's security failure

Learning from UN's security failure

Summary: The UN has found massive flaws in its internal IT security, for reasons that may be all too familiar in the boardroom

TOPICS: Security

Those who prefer convenience to security may find they end up with neither.

This is the fate of the United Nations Galileo logistical system, which has failed an internal audit. As Galileo is responsible for the international disposition of $2bn (£1.4bn) worth of material, including aid, medical and military supplies, there is no overstating the importance of the report's conclusions: network links were insecure, no mechanisms existed to detect security breaches, and authentication information was devastatingly unsafe.

To add to the fun, backup systems were co-located with the main systems, with frightening implications for business continuity. A determined, informed opponent could have done a great deal of damage at little risk. With IT skills and equipment now widely available even in the remotest of theatres, the UN has placed itself at considerable risk — a risk to which it was seemingly blind.

How did this happen? The headline reason was that there was nobody in charge — but, like most headline reasons, that begs the question of why.

The UN is constantly, pathologically underfunded. Decisions were therefore made on contingency, in a spirit of making do. Communications bandwidth too narrow for encrypted traffic? Send it in clear — problem solved, for now.

It isn't hard to understand the psychology behind such actions: making stuff work means no explanations to the boss, no struggle for extra resources, no difficult decisions to close down important services on which large parts of the organisation depend. It's also not difficult to see what can go wrong as a result.

In these difficult times, we must be careful not to succumb to the same pressures. When an organisation is in survival mode, resources are being husbanded and everyone's working flat out, it takes a particular strength of spirit to say "no, not good enough" to something that's apparently working well. It's also hard work to justify more spending with no direct effect on revenues, and to demonstrate that something that seems optional is in fact essential.

Yet this responsibility cannot be abdicated. It is hard enough for an organisation to recover from a serious security breach at the best of times. These are not the best of times. Argued from the context of minimising risk, the value of doing it right is clear. Make sure you're equipped to win that argument — and that, unlike the UN, you have all your bases covered.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • Super Civil Service

    Having spent a period of time with one part of the UN, I am well aware that it is a creaking poorly organised organisation, grossly inefficient and full of well meaning people. The leaders are all determined that their part of the organisation will show up better than others but it is unfortunate that many of the managerial staff are recruited for national or political reasons rather than dedicated enthusiasm.
    The UN has grown out of all proportion since it's inception and, in my opinion, has lost much authority and influence by so doing.
    Many of it's functions are of comparatively short to medium term need and would be better contracted out to private companies or local nations rather than keep a large worldwide UN staff.
    Security of logistics would be better farmed out to a proven commercial organisation - maybe an international supermarket?