Data Security

Phil Repp, Vice President for Information Technology, Ball State University

Thanks to all for a great evening on the security roundtable!

I was struck by the shared opinions on social media and its link to information security practices. We seemed to agree that IT organizations can only do so much and the primary, and most critical, strategy is to educate the user of social media.  Abuses of privacy and exposing personal information will end when people stop responding to phishing or other tricks that ask for personal information. Information security starts with a single individual.

There is a wealth of data on individuals out on the Internet – location, banking information, medications, heart rate data from your morning run, caloric consumption, personal ruminations, maybe even your shoe size!  Before a user sends any or all of this kind data into the cloud, he or she should stop and think before they reveal – yes, even your shoe size. Watch what you click, make sure it is a secure site, and read the privacy policies first. How many people have read the privacy policies for Facebook or Twitter?  Probably very few!  Know that scams are everywhere, so be wary and vigilant.

Brad Wheeler, Vice President for Information Technology & Chief Information Officer,
Indiana University

One challenge that we face in our organization is the constant task of educating a large number of staff, students and faculty on the importance of practicing safe habits when working with data.  The most common security issue we experience is not the result of malicious, intentional acts by hackers or employees, but rather irresponsible mistakes by good intentioned employees (e.g., placing valuable data onto an unsecured thumb drive, then misplacing it).  While there is no way to completely prevent this type of security breach, we believe that by providing our staff, faculty and students with an abundance of information on safe network practices and proper data handling, we can hope to greatly reduce the likelihood of a security breach.

In regards to malicious actions by hackers and employees, what we have seen in other organizations are coordinated, planned attacks.  For example, one specialist is hired to break into the system, another specialist is hired to enter the system and wait (sometimes for months) for the valuable data to come across so it can be taken, then another specialist is hired to come in afterwards and remove all traces of the entry.  This type of organized attack is difficult to plan against and even more difficult to discover.  Leaders of IT organizations will need to take a pro-active approach in dealing with these concerns.

John F. Frank, Sr. Vice President & CIO, Brightpoint North America

I walked away from the roundtable with the following thoughts:

Everyone represented is highly aware of the possible security issues their respective companies face, and have implemented the best measures available with the resources, tools, and money that is available.  Everyone recognizes that a security issue is inevitable no matter how many safeguards you put in place, and there is a point where no amount of money can guarantee a breach will not occur, so each organization has to do their best to safeguard the highest impact areas within reason.

One of the best ways to predict a secure environment is to hire the right people into your company.  The most damaging and most difficult to identify security breaches are the ones that can be caused, usually inadvertently, by an employee.  We need to hire and employ people that use a bit of common sense, and are willing to periodically participate in company awareness training.  Data, stored and moved digitally or in small media, are the most vulnerable.  This is where the aware employee is essential to the protection of the company.

All agreed that the biggest outside threat comes from rogue countries that are bombarding our systems with SPAM, viruses, and other insidious attacks that could risk a broader or global Internet crisis.  This is the one risk that no single company can fight, and there is a big question mark as to whether state, federal, and international governments have this scenario planned and mitigated.