What’s the cyber-security policy in your organisation? Is it common to share login passwords with your colleagues? Because that’s how it works in the House of Commons – according to one MP at least.
Responding to the row over just who might have had access to Damian Green’s computer – and therefore potentially used it to view pornography – Nadine Dorries tweeted this:
“My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!”
Later she went on: “All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?'”
Cyber-security Twitter was horrified. “Nobody, whatever their seniority, should have anyone else’s login details,” said technology writer Kate Bevan.
“I’m going to assume UK MP @NadineDorries didn’t admit to such crazy infosec practices, and instead just had someone else use her Twitter account instead,” said security blogger Graham Cluley.
Ms Dorries explained that MPs dealt with vast amounts of email, so had to give staff the ability to read them and respond. But plenty of people pointed out that you can give an assistant access to your email without handing over your password to the whole system.
Troy Hunt, an Australian cyber-security researcher, says: “This illustrates a fundamental lack of privacy and security education. All the subsequent reasons given for why it’s necessary have technology solutions which provide traceability back to individual, identifiable users.”
Now this all begs the question – does the House of Commons have a cyber-security policy? And if so, what does it say about logins? After all, this summer Parliament was hit by what was described as a “sustained and serious” cyber-attack by hackers trying to access MPs’ email accounts.
It turns out there is a chapter in the House of Commons staff handbook which is very clear on this matter, and on the care needed to be taken with sensitive information stored on computers. Among a list of things it says “You MUST NOT” do is “share your password”.
Pretty clear then? Ah, but that applies to staff, not their bosses.
‘Arrogance, entitlement and ignorance’
I consulted a couple of MPs – one Conservative, one Labour – about their attitudes to cyber-security.
Both said that they would not dream of sharing their computer login – but admitted that most of their colleagues were far more lax.
One told me that in general House of Commons cyber-security had been “really really bad”, although had improved since the July attack.
The MP went on: “Most MPs have that fatal combination of arrogance, entitlement and ignorance, which mean they don’t think codes of practice are for them.”
The other member – who had by the way come under attack from Russian hackers – said that it would be hard to enforce any code: “Ultimately this is a result of each MP and their office functioning as entirely independent small businesses. If one person wants to make daft decisions there is no way of forcing them not to.”
Every year on Safer Internet Day we are lectured about ways of securing our computers from the growing threat from criminal hackers. Perhaps next year the organisers need to make the House of Commons their first stop.