Bits and Bytes

Recent stories of hacking, FBI investigations and foreign influence on our elections will undoubtedly result in new legislation and vigor enforcing compliance with information security regulation and best practice. The organizations "hacked" had the best security money can buy -- Firewalls, secure facilities, encryption and still sensitive information ended up in the hands of bad actors due to the most common and simple method of attack. The take away? The most vulnerable aspect of any security program is people -- Me, you, us!

The majority of "security spend" by business is on devices and technology designed to fluxom super-nerd hackers probing hardened systems for weakness. Little time and money is spent addressing the most vulnerable and frequently exploited aspect of the security equation. A colleague recently said to me, "If I had a security budget I'd spend 75% of it training our faculty and staff. I have an equipment budget, so I buy security equipment because it's necessary, we know how to do it, and I don't need the cooperation of others to get it done." The comment was offered with the wry grin and chuckle that only the truly frustrated can muster.

There is a certain wisdom in this statement that we all need to acknowledge, embrace, own and act upon. Does anyone build a wicker safe and then purchase the best safe door money can buy to make it better? Sadly, yes and it's common practice. Recent events should be interpreted as a call to action to secure ourselves and Knox by strengthening the most vulnerable aspect of our program. How can we turn wicker into steel? Read on...

We're ready to launch our first tool to assess security posture. Where do we have 1.5 million documents with little visibility into who can access them or what's in them? You guessed it! Google Drive. Drive is a powerful collaboration tool allowing YOU to create DOCUMENTS and SHARE them with COLLABORATORS. It has revolutionized the way we work. The operative words -- YOU and SHARE. Do you know what you are sharing and with whom? This tool is designed to help you manage this. Keep an eye on your e-mail for a message with the subject: Google Drive Publicly Shared Documents. As the title implies, it'll contain a list of documents anyone in the world with an Internet connection can see. This is a warmup exercise... Keep your eyes peeled and take action.

There are several avenues for training and we're looking into all of them. Our goal is to have an online program that can be completed individually and is always available. Federal regulation requires us to have a training program and our employees to train annually. We hope to move the needle on this soon. Stay tuned.

In the coming weeks look for the Knox Written Information Security Policy (KWISP). This could easily be a 250 page mind numbing document that gathers dust and holds up computer monitors. It's not going to be. We're going to start small and get something out there as quickly as possible -- and then go to work improving it, making it meet our needs, address our weaknesses, and ensuring it remains relevant as regulation evolves, technology advances, and new threats emerge. Your insight, input, ideas and cooperation will be instrumental.