Janie Slaven: LEFT TO MY OWN DEVICES: Security starts with the cheap, easy stuff

Janie Slaven, The Times-Tribune, Corbin, Ky.
·5 min read

Oct. 7—Taking responsibility for your information security and privacy, both being at risk every time you fire up any connected device, can seem laborious, boring, confusing, frustrating, unattainable, redundant, wasteful, or redundant. In a viable sense, anything exerted toward securing our privacy tends to take second fiddle to energy expended toward propelling and growing our lives (and possessions). If you can imagine listening in on a boardroom, you can see how likely these sentiments are to arise.

Stanley C. Kyuridal, Chief InfoSec Officer: "To be diligent and vigilant, I say we invest the $1.25 million in physical security enhancements for our sites, and the added cybersecurity improvements and insurance so that we're prepared and defended."

Samantha Sellers, Chief Marketing Officer: "That money should go into promotions and sales support. When we make more, we then have more to invest in security. Until then, though, we're shotting ourselves in the foot by wasting money on something that doesn't pay back."

Sellers is right to a degree, but so is the CISO. Security is an expense that does not seem to directly pay off. Let's say that you're sitting around the dinner table discussing whether to install a home security system. The company provides the hardware—cameras, the keypad, etc.—for free or at a discount. They may even perform the installation. For most of those firms, the real revenues are in the monthly fees. Your family is debating whether the $1,000 every year is a worthy investment. Of course, everyone at the table has an idea of where that grand can go. Those ends tend to provide more of a "get" than shelling it out just in case something anomalous happens when a break-in is attempted.

Preparing for some disaster in the manner of spending money to mitigate it might always seem wasteful ... until it's not. That's the bane of the insurance industry: How will we tantalize the masses to invest in their security—health, auto and home, legacy of life—when (other than that last point) every prospective client knows that their risk is lower than that of the population at large?

In all this boardroom and dinner table discussion, the outlay is monetary. Being more secured doesn't always implicate shelling out hard-earned dollars. I might opine that being diligent and vigilant around cybersecurity comes at almost no cost. Well, no hard costs, but you will need to invest time. What I'm alluding to here requires nothing more than paying attention when your smartphone, tablet, or laptop alerts you that you need to update your software or operating system.

One of the lowest hanging pieces of the security tree's fruit is to take a few minutes, a few times a year, and click a few links. That's it. Watch, read, click, updated! I'll admit that it never goes so perfectly. Restarting machines require effort. The updates may not actually suit your hardware, and you don't learn that until halfway through. You'll have to scrounge around for your user credentials sometimes, and hopefully not by merely looking under your laptop for the stickie note (we'll have another day for that, but Stop It!). All those efforts notwithstanding, your scant time invested in keeping up-to-date software and operating systems is not security theater. You are more likely to thwart information dangers by taking these easy actions than you are to avert terrorism by showing us your holey socks at the airport.

When you keep your own devices more secure, even by these slightly time-consuming ways, you keep the entire network, your digital community if you will, more secure. Some would argue this is part of our social contract. I would argue that it works, it's easy, and you'll thank others who keep apace. Yet, even in the most organized, well-funded, and presumably technologically sophisticated environments, the fruit ripens too far and rots, wasted on the vine.

In the Veterans Affairs Administration, leaders were reminded of this reality during a recent audit. Now, first, I will admit that with an organization as vast and impactful as the VA, it's not like you and me plucking away on a handful of devices at home. We can keep things current with those few minutes every couple months. At the VA, there's an entire Office of Information and Technology charged with these, and countless other, responsibilities. There are nearly 400 information security officers in the VA's organization. A billion documents and four times as many image files are at issue. According to its locations website, the VA and its OIT serve 1,957 facilities.

Updating Windows at the VA is no small feat, then. The audit reflected how challenging it is. At just one healthcare facility that intakes thousands every year, the security assessment found over half of its hardware lagging in terms of being up-to-date. Again, this is the easy stuff like simply pulling your front door shut whenever you leave home. If you can't get that much straight, even the most bungling burglars can abscond with your valuables. In fact, the independent audit's primary recommendation, one espoused by the Office of Inspector General's report on the vulnerabilities, was nothing more than to maintain an inventory of the enormous network's hardware. If you and your family are not even aware of all the doorways into your abode, it'd be hard to expect you to close and lock them all whenever you leave.

The VA tends to undergo great scrutiny, not only in the security domain. Here, there's a lesson to be had for your own sake. Start with the easy stuff. Update your machines whenever they and their artificial intelligent "selves" tell you to. If you can follow that relatively cheap, easy direction, you'll save time and money in the long run, and maybe even have the resources and inclination to further protect your privacy and sensitive information.

Ed Zuger is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at edzugeresq@gmail.com.