Trying to contain farm animals who are surprisingly creative and adept at getting around barriers has a lot to teach us about how to approach our efforts at protecting data from crafty users. If I’ve learned anything in my two decades of working in the InfoSec industry, it’s that the practical application of securing data can be challenging. Every time I start to feel like I have a pretty good grasp on how to protect my data, something will occur that makes me realize how much a seemingly simple error can cause big problems.I’ve found no better metaphor for these errors than my constant battle to keep our farm animals contained. In certain circles, it’s a common truism that “if your fence won’t hold water, it won’t hold a goat.” Many of us who’ve tried to protect data for and from humans will recognize this sentiment. Both critters and computer-users are astoundingly adept at going through barriers in creative and unexpected ways.No matter how complex or how old the vulnerability is, patch it anywayWe became aware of a hole in our fence that was accessible only by entering a narrow alley that was protected by a gate, which was bungeed in place. Our goats had gotten stuck in this alley a couple of times, and it unnerved them so much that I figured they wouldn’t bother exploring it further. A few months later, one of the goats figured out that not only could he move the gate if the sheep offered “assistance” (read: head-butting the goat because he’s in the way), but if he stood up and turned the other way round, he could comfortably shimmy his way out of this hole.While it might seem like this convoluted turn of events would be a one-time fluke, it happened twice in 12 hours. If the reward is sufficiently great, they will find a way. Understand and explain the reasoning behind recommended guidelinesWhile raising our first clutch of ducklings, I had read that you should wait a few months before clipping their flight wings. So we waited the recommended period of time, erring on the side of waiting a little longer just to be safe. Two days after the specified date, the ducks flew into the neighbor’s yard.In retrospect, it seems obvious that I should have investigated further to see if there were a way to visually assess when they were ready. When a subject is new and sensitive, it can be tempting to just accept the word of experts without question or to draw incorrect conclusions based on mistaken assumptions. When you train users, or get training yourself, make sure that “why” is covered as well as “what”, “how” and “when”. Risk assessment should be an ongoing taskOne morning as I was feeding the chickens, I accidentally startled a hen. Her alarm calls unnerved a twitchy, young rooster, who flew towards the netting around their enclosure. I hadn’t realized that during the previous night a leaf had fallen onto the netting and created a gap between two sections that was just wide enough for him to fly out.It doesn’t take much to make a change big enough to cause problems: by constantly monitoring our assets, we can help mitigate new risks.Multiple defenses can balance security and functionalityIt would be lovely if we just could let our animals roam as they please. But I have it on good authority from the local rabbits and deer that our neighbors’ roses are delicious, and that there are hungry predators nearby. As such, we deploy multiple levels of protection for the benefit of our critters and for the neighbors’ gardens, considering their relative level of risk and need.The risk of predation is greatest at night, which is also when their need to roam (and our ability to supervise) is lowest, so we lock our beasties in secure enclosures before sunset. During the day, our critters have access to larger areas, but can still hide in their shelter if need be. Beyond that, our whole property is fenced in case they escape their individual enclosures. In each of the incidents I describe, no harm came to the critters because we had a series of barriers and alerts, so there was no one point of failure.We also can’t underestimate the psychological angle: our animals all know where their safe areas are and will go there if they feel they are at risk. If they get out of those areas, they quickly get our attention and we put things right.No matter whose statistics you use, you’ll find the majority of security breaches are due to human error. Those mistakes are often made by accident, not by malice. By understanding the risks, preparing for mishaps, and letting our users know they can come to us in times of trouble, we can make our workplaces safer for everyone. Related content opinion Of mice and malware Some of the most important training I got for a career in computer security research was not from a computer-related class, but in a biology class. While these two disciplines may seem entirely unrelated, the skills that are needed in both cases can By Lysa Myers Jul 03, 2019 6 mins Malware IT Skills Staff Management opinion Have we doubled the number of women in infosec? According to a recent (ISC)2 report, women now comprise 20% of cybersecurity workers. But without defining what jobs are being included, it’s unclear whether we’re truly making progress. By Lysa Myers Feb 11, 2019 5 mins Technology Industry IT Skills Staff Management opinion Has the word ‘breach’ has outlived its usefulness? When someone says a data breach has happened, it’s generally understood to mean that attackers have broken into a company and stolen sensitive information. But after a growing number of high-profile privacy gaffes, the definition of “brea By Lysa Myers Nov 28, 2018 5 mins Data Breach Technology Industry Data Privacy opinion Stop training your employees to fall for phishing attacks Training your employees how to recognize and avoid phishing only works if trusted emails don’t look the same as criminals'. By Lysa Myers Jul 10, 2018 4 mins Phishing Social Engineering Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe