Learning from UN's security failure

The UN has found massive flaws in its internal IT security, for reasons that may be all too familiar in the boardroom
Written by Leader , Contributor

Those who prefer convenience to security may find they end up with neither.

This is the fate of the United Nations Galileo logistical system, which has failed an internal audit. As Galileo is responsible for the international disposition of $2bn (£1.4bn) worth of material, including aid, medical and military supplies, there is no overstating the importance of the report's conclusions: network links were insecure, no mechanisms existed to detect security breaches, and authentication information was devastatingly unsafe.

To add to the fun, backup systems were co-located with the main systems, with frightening implications for business continuity. A determined, informed opponent could have done a great deal of damage at little risk. With IT skills and equipment now widely available even in the remotest of theatres, the UN has placed itself at considerable risk — a risk to which it was seemingly blind.

How did this happen? The headline reason was that there was nobody in charge — but, like most headline reasons, that begs the question of why.

The UN is constantly, pathologically underfunded. Decisions were therefore made on contingency, in a spirit of making do. Communications bandwidth too narrow for encrypted traffic? Send it in clear — problem solved, for now.

It isn't hard to understand the psychology behind such actions: making stuff work means no explanations to the boss, no struggle for extra resources, no difficult decisions to close down important services on which large parts of the organisation depend. It's also not difficult to see what can go wrong as a result.

In these difficult times, we must be careful not to succumb to the same pressures. When an organisation is in survival mode, resources are being husbanded and everyone's working flat out, it takes a particular strength of spirit to say "no, not good enough" to something that's apparently working well. It's also hard work to justify more spending with no direct effect on revenues, and to demonstrate that something that seems optional is in fact essential.

Yet this responsibility cannot be abdicated. It is hard enough for an organisation to recover from a serious security breach at the best of times. These are not the best of times. Argued from the context of minimising risk, the value of doing it right is clear. Make sure you're equipped to win that argument — and that, unlike the UN, you have all your bases covered.

Editorial standards