Janie Slaven: LEFT TO MY OWN DEVICES: The human factor in information security
Jan. 27—All too often, I and countless others who care about information security and privacy lose sight of one of the discipline's fundamental truisms. Security and privacy, while typically being discussed in terms of online and other digital information, attend to real-life, tactile, tangible information, too. As I teach about InfoSec so much relates to the bits and bytes, the ones and zeroes, that it is easy to forget that, for example, without having door locks and other physical security defenses in place, why would one bother to secure the information maintained on servers behind those widely opened entry-points?
Physical security, like your own attempts to thwart burglars, is part and parcel to organizational information security systems. Same goes to face-to-face conversations, where you need to know who you are divulging information to, and they bear that need-to-know quality making them privy to your information. One of the tactics of any hacker worth their salt is to polish social engineering skills to overcome barriers in these veins. They not only have the technological know-how to break into secured systems and steal data, they also can be quite savvy when it comes to gleaning information firsthand from others. It's just one more tool, and one that might be akin to physical security in that they are both related to but distinct from all the digital ploys.
Keeping in the analog lane, as it were, the one [nearly] peerless way to preserve the privacy of your information is to not allow it to escape your mind in the first place. You can have a thought, any thought, and so long as you never write it down, click it into a text message, email it, or otherwise place it into the ether ... totally private and secured. This is an unfortunate approach to security, though, because then no one will ever benefit from your ideas, plans, and thoughts. They're secure, sure, but what good are they?
A little further up the analog-to-digital continuum of information's pathways, we can let information into the environment, but without putting it into the vastness of the interconnected networks that make up the information superhighway. I am talking about paper documentation. Now, I'll grant you the 21st century convention that nary is the printed, hard-copy document that did not at some point have a connection to technology. Few of us still have a working typewriter, or a disconnected word processor machine, or any other mechanism that would let you memorialize a thought on paper without the letters and characters first coming from their computer coded roots. Maybe, just maybe, you can type up a Word document without it invoking any network travels. That's pretty rare, we all agree.
For the sake of this column, though, let's pretend that there is a useful, security-based argument to silo information security into three camps. First, consider all that super private information that comes to your mind and never escapes. These private, ever secured thoughts don't make their way into the public domain because you never share them. Utter security. Though, depending on their nature you may need to eventually share them with a therapist.
At the other end is the fodder of this column week after week: digital, networked information. The biggest of lions, lion's share of information is transmitted, and thusly vulnerable, because of the convenience and effectiveness of modern-day technologies. It's almost no wonder that hackers home in on digital information. They know we're careless users, and their care easily overcomes our "security."
In the middle sits all the information that is paper-bound, and let's continue with the ruse that the data gets onto a sheet of pressed, whitened pulp without the influence of networked computer systems. It would seem that this type of information storage is more prone to leaks and breaches than pure thoughts, and that without accessibility given to computer criminals it is more secure than that mode. Enter, the current and former presidential administrations.
With both presidents and both political parties represented, and naturally two distinct throngs of administrative support—from cabinet members to aides, and extending outward indescribably—the notion that paper-based, disconnected information being quite secure seems laughable at this point. From the Mar-a-Lago and Delaware-Pennsylvania examples, it does not take a security expert to ascertain that merely by keeping things analog the risks are in check.
Your banking information, the healthcare data you regularly manage by completing those HIPAA forms at the doctor's and dentist's offices, and all the rest of what seems precious and protectable surrounding your personal life ain't squat as compared to what was mismanaged by these two so-called leaders of the world. It is telling that they both had at their disposals limitless resources to levy toward protection. If you ever even contemplated signing up for some sort of cyber-protection, or if your business received cyber-insurance quotes, you know that keeping digital information secure is costly. Not for those two.
Then, they had the extra benefits of countless cybersecurity professionals' expertise on tap. The true thought leaders, and technological geniuses, were all available to help maintain national security over the troves of sensitive documents recently discovered unprotected. Money to throw at the issue plus unbounded talent to mitigate the risks, and thirdly the clear guidance under the laws all amount to great advantages, not to mention a simple moral imperative to protect the citizenry. For us, and our lowly but personal information we have, what, an anti-virus program and some password strategy? Still, you likely do better than those two.
All this should remind us that it's not the technology, alone. It's not the resources. Those help secure information and maintain privacy. They're useless, though, when the most important factor, the human factor, drops the ball, big time in these cases. Put yourself, first, into your information security. Only then find helpful tools.
Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org.