Employees could be the weakest

Ira Hobbs

When the conversation turns to cybersecurity, some people almost automatically seem to focus on the complex technology that is required to fend off the hackers, cybercriminals, cyberterrorists and others who would attack governments and companies through their computer networks. Securing systems in an increasingly networked environment is a virtually impossible task, some say.

A report last year by the Computer Security Institute, found that 91 percent of companies it surveyed admitted to having had a security breach of their systems. But the real number is likely higher because many attacks go unreported.

Corporations fear that security mishaps will shake investor confidence and drive down stock prices. Governments may not issue stock, but they too rely on public confidence, and the security situation in the public sector is probably worse.

Despite our best efforts, systems remain vulnerable. Implementation of effective controls is lagging. Adequate funding will forever remain a hope. Most security funds go to authentication systems, firewalls, antivirus software, virtual private networks, intrusion detection, encryption and other technology that is absolutely necessary.

And yet, no matter how much technology you insert or how much you spend on hardware or software, it is the human factor that can so easily undo your best efforts. The people who use the systems are the most important component in protecting vital information.

Cybersecurity quite simply is a people issue as much as a technology issue, and anyone who doesn't pay attention to the users will live to regret it.

Thus a successful program to improve security has to include robust education so people have the information they need to protect personal and system data.

My grandmother'and probably everyone else's'used to say, 'Loose lips sink ships.' She was talking about careless speech. Carelessness with the computer itself can be even worse. There are still employees who write their passwords on Post-it notes and stick them on their monitors.

Or take the employees who think that computer viruses are things that happen to other people. They open interesting-looking e-mail first and ask questions later. They just have to check out all of the little executable files that come from who-knows-where. Often they receive a cute little something that makes them laugh, blissfully unaware of what nefarious program might be lurking in the background.

Because the Internet has linked virtually every computer, many experts believe that security will get worse before it gets better. That's a sobering thought.

But in any event, for computer security to be effective, employees must be individually aware of the risks and their personal roles in mitigating them. They need the skills to take precautions. For example, accessing a home e-mail account through the browser on your agency's system could cause messages to unwittingly bypass your firewall. For those sorts of issues, managers must ensure that people receive the training they need and that they are motivated to utilize it.

Ira Hobbs is deputy chief information officer at the Agriculture Department and a member of the CIO Council.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.