Kris Rowley, CISO, state of Vermont
Kris Rowley, CISO, state of Vermont

A bear ate my phone. Utterly ridiculous. Or is it? For those of you who may not know of this reference, there was recently a story out on the internet about a person distracting a bear by throwing a cell phone at it in order to make a quick escape. I know of this first hand, as I am the originator of the story. Much to my amazement, it went around the world in about two days. Also, to my amazement, it became more fanciful as it traveled.

The story was originally posted on a legitimate, well respected website, written by someone who should be a reliable source. However, as the story traveled and the bloggers blogged, the tale grew and the original information changed. People took the information at face value – even in its exaggerated form – based on a single source. The last version I read was titled, “U.S. Woman Fends off Grizzly Bear Attack With Cell Phone.” I stopped reading after that.

What does this have to do with information security? Everything. This is an example of how information, left unattended, will lose its integrity. As security professionals, our job is to assure that the information and data we are entrusted to protect maintains its integrity, is available and confidential.

In these times when budgets are tightening, companies downsizing, data breaches making headlines and large businesses losing credibility, how do we approach this challenge? Data security is a multifold issue with a layered solution. Even with all the layers, there are still data breaches and loss.

We can write policies that state the best practices, rules and regulations regarding data protection. Actually, strong policies are critical in this arena as they are the guiding force of a solid security stance. Unfortunately, enforcing policy is difficult to do in many companies and even more difficult to track.  

Technology is another approach to protecting data. However, technology comes with a high price tag. With IT budgets being chipped away in the name of cost savings, technology solutions are usually the first to be eliminated. Also technology solutions can be breached, undermined and worked around by those savvy enough to do it.

Technology, while absolutely necessary in our high tech, web-centric world, is not the be-all and end-all when it comes to computer security. It certainly is critical to have secure firewalls, intrusion detection systems, spam guards, etc. However, all the network security in the world isn't going to keep networks safe if employees are not properly trained.

According to a study done by Stellar Information Systems Ltd., human error is the single largest contributor to incidents of data loss and corruption. These errors include, but are not limited to: accidental drive format, erroneous file/folder deletion, MIS/administrator errors, and mishandling of data.

Unwitting end-users infect their work computers with malware by clicking on pop-ups, downloading information from the internet, opening links from unknown sources and a variety of other avenues. The results can be devastating to a network. There is also a growing mobile workforce, which brings its own unique set of security hazards. Unencrypted USB drives, laptops, PDAs and other devices are also an increasing threat to information security.

Some say, with enough technology, information security can be achieved. Many users take that stance. End-users oftentimes feel that they are “safe” on the company networks because of the security measures that have been put in place. They feel they can traverse the internet at will and click on whatever appears on their screens because of this false sense of security.

Employee education programs, from the time of hire through termination, are essential to continued information security. End-users need to have a solid understanding of the limitations of technology. Education-awareness training, at the time of hire, should include an orientation to computer usage best practices, policy review and a test to ensure understanding. There should be annual review programs for all employees. The reviews should cover any changes in policy, changes in any regulations that may apply to the user, and a general review of security awareness. There should also be modules that are created for specific users. These modules may be aimed at management level employees, or modules that pertain to specific regulations – such as HIPAA or SOX, for example – if the individuals work in environments that require such knowledge.

Keeping information security in front of employees is essential. The use of posters, daily security tips that appear on the home page when a user logs on to their computer are examples of keeping employees informed and aware of security throughout the year.  

An enterprise-wide, strong security posture includes the use of both technology and employee training and continued awareness. One cannot work without the other. When information is left unguarded, strange things can happen to it, like grizzly bears eating cell phones.