Security and Trust in the Land of the Blind

We are pleased to welcome guest writer Brian Horton, Director of Technology Operations at Duke School (NC), to our blog. In this post, Brian shares his reflections on the ways that technology departments may now serve as trusted sources of information for independent school communities, especially as cybersecurity breaches cause all of us to be more anxious about the safety of our personal data.

Brian's experience after the recent Equifax data security breach led him to share important information with his school community about how to respond in such an instance. One by-product of his outreach has been a strengthening of relationships with the constituents he serves at his independent school. --  SD 

(10-minute read) 

A week doesn’t pass that I’m not reminded of this quotation from Erasmus: "In the land of the blind, the one-eyed man is king." For good or ill, it continues to be one of the most relevant statements on the delicate balance that exists among complex technologies, the people who create and administer them, and the people technology departments serve.

In the past I’ve viewed Erasmus’ observation in a negative connotation, but recently I’ve found, more positively, that we can build empathy for members of our school communities by providing insight, clarity, and direction when they are confronted with yet another highly publicized data breach with potentially terrifying personal implications.

In my school community, I’ve found I have brought real value to our faculty and staff by providing a personable, understandable, and actionable response to high-profile breaches.

Personable

A few days ago at DevOps Days in Boston, Yulan Lin (@y3l2n), a data scientist, gave an excellent talk on communication, in which she defined a concept called “The Curse of Knowledge.” Simply put, it means that once we know something, it’s hard for us to imagine not knowing it. This can naturally lead us to lose empathy and understanding for those who do not possess the same body of knowledge we do.

When something like the Equifax breach happens, we have to think through the relationships we have with members of our community and ask ourselves what they are thinking and feeling while reading the headlines. By placing ourselves “in their shoes,” so to speak, it’s easy to imagine their reactions of fear and frustration. Furthermore, as more systems and institutions are compromised, the societal trust we place in authoritative sources of information is weakened. Therefore, our communities need assistance navigating these issues from a close, known, and personable source. As technology leaders within a school, we exist as the “one-eyed man,” and as such have the ability and the personal connection to assist.

Understandable

Another concept I try to put into action is something I call “putting the cookies on the bottom shelf.” The idea is to simplify or distill complex concepts into an easily digestible form. Using analogies is my preferred method of explaining technical concepts to non-technical colleagues. Adding lanes to a highway can be an example of increasing network link speeds, baking a cake can be an example of operating system deployment via MDT, or candy bars on a conference table can become servers in your infrastructure when you are discussing the impacts of outages and services availabilities (true story, and, strangely, highly effective). However you do it, you remove the fear out of the unknown by making it understandable.

Actionable

Dr. Bessel Van der Kolk wrote a fascinating book a few years ago called The Body Keeps the Score. In it, Kolk provides an in-depth analysis of the lingering long-term impact that post-traumatic stress can have on a person. One interesting takeaway for me was research that showed the difference between patients in traumatic situations who suffered from PTSD and those who possessed “agency” in escaping or removing themselves from the danger rather than remain trapped. Fear causes an adrenal reaction intended to drive us to action to remove or remediate the source of our fear. Therefore, when addressing fear-inducing events, we want to provide the reader with next steps that can educate, prepare, or protect them from the source of that fear.

A Response to the Equifax Breach

Below is an email I drafted for my staff in regards to the Equifax breach. It’s a bit rushed compared to others I’ve sent, but you can get the idea. Look for the ways it is Personable, Understandable, and Actionable, and you’ll see what I mean.


Dear Colleagues…

This is a longer email than usual, but I’m going to include some info from InfoSec Groups (Basically Good/Nice/Decent/Non-Malicious Hackers) and some information from Knowb4, a trusted security auditing company, on what you should do moving forward.

Here’s the information we have at this time in relation to the hack:

  • This may be the worst breach of PII (personally identifying information) data ever.
  • Equifax’s claim on its website that it can help you identify if you’ve been compromised is a sham. It claims everyone, even Sparky the Dragon with SSN 111-11-1234, is compromised and needs to sign up for credit monitoring service.
  • There is currently no verified public information about who perpetrated this breach or how.
  • The stolen information is not currently for sale through the normal channels. This is actually troubling. It means it’s not just a smash and grab, and there is a plan for the data.
  • Credit Freezing Is the best option at this time; however, credit freezing removes a source of revenue for the credit agencies.
  • Equifax is “supposed” to be sending direct mail notices to those genuinely affected by the breach. 

Lately Twitter has produced a wealth of people and resources that can be of use in situations like this. 

Patrick McKenzie, who arguably has the most exciting hobby ever, started a “Tweet-Storm” (not my term) that he consolidated into a blog post: "Identity Theft, Credit Reports, and You".  I highly recommend reading and saving his blog post in the event something nefarious does happen with your credit.

The big takeaway here is to write letters, don’t yell at anyone over the phone, and don’t threaten to sue anyone. 

Finally, here is a form letter of advice from KnowBe4. It’s pretty good advice for the moment. However, most credit agencies’ websites for freezing credit are down right now due to excessive volume. The agencies are also not particularly motivated to make that easy for you, as locking credit removes one of their revenue streams….

[For the full text of recommendations by KnowBe4, see Stu Sjouwerman, “Scam of the Week: Equifax Phishing Attacks,” Security Awareness Training Blog, 9 September 2017.]

If you’re interested in keeping up to date with the latest information in regards to this (and other infosec news), I recommend these twitter accounts and websites:

https://twitter.com/briankrebs

https://twitter.com/SwiftOnSecurity

https://motherboard.vice.com/en_us

https://www.engadget.com/

Thanks,

Brian Horton


This email was well received by the school community; the information provided gave the recipients insight into the situation, understanding, and a means of personal empowerment. It was particularly well received by some of our older teachers who have traditionally been wary of technology. Ultimately, while the greatest benefit of communication like this is to the staff, it also serves the technology department well in building a relationship of empathy, trust, and mutual respect. In time, this accumulated relationship credit will allow for greater receptiveness during future trainings, a deeper understanding of the complexities of the IT world, and trust that our motives in introducing change are in the best interest of the school and themselves. It’s an old saying, but it still holds true that people don’t care what you know until they know you care.

Share this post:

Comments on "Security and Trust in the Land of the Blind"

Comments 0-5 of 0

Please login to comment