Security group: Humans are weakest link

Humans may be the weakest link in securing information systems, according to a panel of experts at a conference organized by Computer Security Institute (CSI), being held in Washington, D.C., this week.

A panel during the conference’s Wednesday morning session was dedicated to examining the role that people play in securing digital information. CSI is a membership organization that provides training and events related to information security.

U.S. Senator Bob Bennett, a Republican from Utah who is a member of the Republican High Tech Task Force, introduced the session by calling on the audience of security professionals to make contributions to their company’s information security that go beyond technology and engineering. “Computers can’t protect, only people can protect,” he said.

Specifically, Bennett urged the audience to convince their company executives that data is as important to a business as capital is. “American business has to start to think of data with the same reverence that it thinks of money,” Bennett told the audience, many of whom nodded their heads in agreement.

A company’s chief financial officer builds layers of control around handling money, such having more than one person sign checks or hiring outside firms to perform audits on accounting books. “There are redundancies to protect the money, we need the same kind of attitude to protect data,” he said.

The senator asked the audience to make their companies’ executives realize this, by coming out of “Nerdville” and demonstrating that their concerns about information security are rational and appropriate.

Following the senator’s speech, a recently formed group called the Human Firewall Council announced a free utility on its Web site that lets visitors assess their organizations’ security awareness by answering survey questions. According to Doug Erwin, council member and chief executive officer of PentaSafe Security Technologies Inc., 350 individuals have already taken the survey, and many of them did not score well.

Beyond answering the survey questions, Erwin told the audience to challenge existing security policies that don’t make sense to them, and to become company evangelists for protecting data. Securing company information “is not just the security manager’s job, it’s everyone’s job,” he said, adding that in the chain of security, people are “the weakest link.” (Erwin joked that he coined this phrase, which is the name of a popular television show.)

Brett Hovington, council member and national coordinator for the U.S. Federal Bureau of Investigation (FBI)’s National IfraGard Group, said that understanding the human component, or identifying who is behind the keyboard, is essential to solving information security breaches. The FBI has begun profiling cyberintruders, much as they do serial killers, to help them understand behavior and motivations behind attacks and hopefully identify attackers.

Another council member, independent security consultant Charles Cresson Wood, lauded President Bush for establishing an executive organization to head up security, after the terrorist attacks of Sept. 11, and suggested businesses do the same. “President Bush is doing what every organization should do, creating a new organizational unit to come to terms with new threats,” he said, referring to the U.S. Office of Homeland Security.

The Human Firewall Council is at

CSI can be reached at