drig's Journal: User Friendly vs Security

Today my company was introduced to the new online portal for our medical benefits. I was shocked to find some of the most shoddy security I've seen. When I questioned the presenter about it, his response was "we wanted to make the system user friendly".

Okay, I understand that sometimes security measures can make a site more difficult to use. Password restrictions, automatic logouts, extra confirmations, etc. all make the site flow less easily. But, I have to question if that is the end-all of friendliness.

I, personally, wouldn't consider a system that spews my medical and payroll information to any hacker who cares to try friendly. How friendly is it to find out that I have no health insurance because someone turned it off without my permission? How friendly is it if I start getting calls from pushy brokers and TrendWest because they found out I make more than I spend?

I'd say this guy misunderstood both words in "user friendly". I think he meant "easy for us to develop" or maybe "appears easy to use" rather than "does what the user wants". He mistakes a couple of marketing people as representing his users. He mistakes friendly for easy. He doesn't recognize the bigger issues.

So, I wrote them. I got back a response that says things like "that's not an issue" and "we've determined this isn't a security problem".