Infosec lessons in Manchester United's bum bomb bungle

It all kicked off at Old Trafford last Sunday. Minutes before Manchester United and Bournemouth were due to close out the English Premier League season, someone found a suspect device tucked away in a toilet. It was very suspect indeed - mobile phone taped to tubes, wires - the works. Game abandoned, spectators evacuated, bomb squad gingerly contemplating whether to snip red before blue.

Blue shirts turned to red faces shortly afterwards, as the device turned out to be a ‘very realistic’ fake left by mistake after a security exercise designed to train Snuffles the Sniffer Dog. Snuffles didn’t find this one, and the security consultants running the show forgot all about it. Result: £3 million from the Man U petty cash fund, thousands of seriously unimpressed fans, and naughty people tweeting that it wasn’t the first time unviable fakes had failed to perform at the venue.

Nothing worked in this admittedly entertaining piece of security theatre, the name coined by IT datasec guru Bruce Schneier in his book Beyond Fear for expensive, high-profile exercises that purport to make us safer but just make life worse. For those who don’t want false alarms - or worse - creating costly, unsightly blemishes on the bottom line or their CVs, there are some good lessons.

Consultants and off-the-shelf fixes can be useless, even actively harmful. If you don’t understand your own problems. In this case - trained sniffer dogs are less important than having proper security protocols that check under the sink and count the fake bombs. If you’re worried about BYOD and cloud creating vulnerabilities - and you should be – then buying in a solution that ‘locks things down’ or ‘provides audited provisioning’ won’t help if your employees are skilled in running their preferred services over public 4G rather than the enterprise network. (They are.)

If you do know a very great deal about security and how it plays at home, as it’s a safe bet that Old Trafford’s head of such things does, that doesn’t help much either. You’ll know how fast things develop, how unsatisfactory it is to rely on a media fed by stories generated by the IT security industry, and how it’s people, not technology, that cause most problems.

The fix is to turn that on its head. You will have far more security expertise in your outfit than you know, because to be an IT professional these days is to be an IT security professional. You just don’t normally have it on your business card. Among the ranks of developers, sysops, designers and testers, security savvy is a very high status attribute - and the closer an IT worker is to creating or running live systems, the more they’ll know. If you doubt this, pick someone technical down the org chart at random and ask them what they think about your corporate security. Or take a look at the cutting edge of practical IT opsec, mixed-hat conferences like Defcon: the hour-long videos of staggeringly bad speakers on YouTube get hundreds of thousands of views. Chances are, someone you think does something else is soaking that stuff up.

The double mitzvah comes from such people’s intimate knowledge of your real corporate culture and actual practises, something no consultant (and, sadly, many upper managers) can easily find out. Oh, and you’re already paying for them.

How you find them is up to you. Organise a mini Defcon in the pub after work, and ask anyone interested to give a five minute talk on their favourite security silliness. Plant a quiz or a questionnaire in whatever in-house communications you have. Or just ask people, with some incentive for piping up. (If you can’t work out how to ask your employees questions, you may wish to solve that one first.)

Once you have them, though, give them responsibility and recognition, even if only through informal meetings and regular email round-ups. What is going on? What’s a sensible response? What developments are most concerning them, anywhere in security? How can all the non-IT people in the organisation be brought into the conversation? Often, people in a department with a reputation for knowing about security are the first, unofficial, port of call when someone has a problem but doesn’t want to risk the wrath of Official IT: this gives them both knowledge and influence, and that’s solid gold in keeping companies and workers safe.

None of these are new ideas. B2B marketers know full well that the real influencers and knowledge centres within organisations often don’t correspond to job titles. DevOps theoreticians know that spreading tasks and responsibilities, breaking down silos and not-my-problemitis, improves quality and efficiency. And Manchester United knows that leaving everything down to Snuffles results in a real dog’s breakfast.

People may be the problem in IT security, but they’re also the solution. The most effective team isn’t always the most obvious.

Ask any fox.


Related reading:

Is your infosec any good? A weird trick will tell you

Too many spies leave no Safe Harbor for anyone


« What does Railway Time tell us about standards in bank security?


The new age of the 'rock star' software developer »
Rupert Goodwins

Rupert Goodwins expected to be an engineer, but journalism happened. As an engineer, he worked in defence, for Sinclair Research and Amstrad, in startups and for himself. First appearing in print in 1982 and online in 1984,  he's written about all aspects of technology in business for most of the UK nationals and tech magazines, and was most recently editor of ZDNet UK. Tries to solve more problems... See More

  • twt
  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies


Do you think your smartphone is making you a workaholic?