IT Department Jeopardizing User Security to Cover Up Poor Performing Internal Applications

IT Department Jeopardizing User Security to Cover Up Poor Performing Internal Applications

We were recently involved in the selection process by a large East Coast municipality of a construction management information system. During the technical interviews, the department’s software Architect wanted to know if data could be transmitted unencrypted to speed up performance.  Our answer was absolutely not, and why would anyone want to do this? His use case was field personnel working on cellular Internet access or public Wi-Fi systems could experience performance problems due to the additional overhead of encryption. We found this question very troubling considering the data our clients move should be protected at all costs. Drawings, photographs, specifications, security plans, and all the other project data of client projects should never be transmitted unencrypted, especially over public Wi-Fi networks. He went on to explain that he did this to improve performance from the end users perspective. This is obviously a case of trying to compensate for a poorly written application and lack of knowledge by the department’s Architect. With today’s Internet and computer speeds increasing every day and the constant threat of hacking and information theft, data should be encrypted at all times. The overhead cost to perform encryption on all communications is incredibly small compared to the cost of compromising or losing your data. Many of our clients operate in rural sites using cellular access, satellite access and fixed line wireless without our security impacting their performance.  To put into perspective the low performance cost compared to the security benefit, even Facebook and twitter encrypt user data being transmitted from the end user back to their servers. And most of this data has no security value beyond celebrity gossip.  This is a classic case of an IT executive having no idea what their end users are doing and protecting their turf at the expense of user productivity and data security.