If you've ever paid taxes, filed for unemployment, applied for a driver's license or attended a state college or university, your personal information is somewhere on a state server.
The people responsible for keeping that information secure gathered Tuesday to hear about threats from increasingly sophisticated cyber attacks and the growing use of mobile devices, especially those that employees bring to work from home and could potentially misplace.
Keynote speaker Rob Ayoub, security strategist with Fortinet, compared the problem to a zombie attack.
“It might as well be out of The Night of the Living Dead,” he said.
Before, the IT department set technology policy for a business or organization, he said at Tuesday's eighth annual Nebraska Cyber Security Conference at Southeast Community College in Lincoln.
Now, with the “bring your own device” trend the demand is from all fronts, Ayoub said. “That push is coming down from the CEO, or from the users themselves, saying, I need to use this device, and you, IT, have to support it.”
IT research firm Gartner said in a May report that 38 percent of companies expect that they will stop providing company-issued smartphones and other devices to workers by 2016. Executives said allowing employees to provide their own would save money, increase worker satisfaction and help make the workforce more mobile.
But Gartner analyst David Willis said in the report that only about one in five executives believe they have made a strong business case for the shift. He said: “Mobile initiatives are often exploratory and may not have a clearly defined and quantifiable goal, making IT planners uncomfortable.”
Before they start shooting zombies, or buying popular mobile device management software, Ayoub said information security professionals should first get policies in place about who can use mobile devices at work, and for what reasons. They should also evaluate the security of the core network, making sure they are blocking phishing sites, scanning email content and blocking malware.
“A lot of traditional security controls, people forget about,” Ayoub said.
Speaker Jill Klein of Sirius in Omaha also advised having data and device use policies in place up front.
“When they leave Starbucks and they leave that phone there, whose fault is it?” she asked. “It's going to be IT's fault because they didn't secure that device and they didn't have a policy.”
And she agreed with Ayoub that an organization needs to think up front about what data employees need, when and why.
With devices, she said, “We're in that 'cool' stage right now — everyone wants one, but they don't know what they want to do with it.”
The State of Nebraska is moving cautiously into allowing employees more mobility, and is looking at software that would allow it to access and lock devices remotely, said Jim Ohmberger in the Office of the Chief Information Officer.
Nebraska's state agencies have erred on the side of being conservative about allowing employees to use their own devices on the job, Ohmberger said. A human services caseworker, for example, would be limited to a state-owned device. The presence of state risk manager Shannon Anderson at the conference underscored the concern.
“The cost of a breach has very high penalties,” Ohmberger said.
Contact the writer: