Fresh approach to cybersecurity needed

The threats we face in cyberspace continue to advance at a breakneck pace and that is perhaps the biggest problem for those trying to secure our systems. Without a uniformly accepted set of metrics as a standard, it is nearly impossible to accurately gauge any change in volume, sophistication or success rate.  There are indications that the overall cost of cyberattacks on organizations has increased significantly this year to what some believe to be an all-time high.

We buy a firewall, install antivirus, apply patches and respond to cybersecurity events. That is the current cybersecurity approach for the vast majority of organizations, and some don’t do all that. 

Related coverage:

Don't be misled about Duqu malware

I am bothered by the growing frequency, level of sophistication and the type and volume of information stolen. I am most bothered by the seemingly continuous increase in cyber insecurity that is being driven by acts of cyber stupidity. Users continue to be fooled by e-mails with malicious links, fake security warnings on their screen and other common cyber attack modalities. I am not talking about the ultra sophisticated attacks. I am talking about the things you could put under the heading of we should have known better. 

The cyberattack vector I worry about most is insiders. By most accounts, they are by far the most damaging. In a recent conversation with a chief information security officer of a critical infrastructure provider, I showed him a stack of faxes (1.75 inches tall) that had come in over the past six weeks that were stacked up in plain view on a desk in a cubicle that was unassigned. These faxes contained sensitive, but unclassified in formation. I should also mention that a number of CDs were in plain view in cubicles on multiple floors during the cybersecurity scan. This is just inviting a problem; it only takes seconds to pick these items up. We get sloppy and make mistakes because security is not in the frontal lobes of the average user’s mind.

A change must take place in our approach to cybersecurity. We must integrate training with ongoing reinforcement of security policies and procedures. To do this, we must modify our mental models. Training is not an event; it is an ongoing process that must keep pace with the evolution of the cyber threat environment.  That mindset is very rare these days, but it must become part of the fabric of security – both physical and cyber.

“Due to the cat and mouse nature of cybersecurity, is no such thing as completing your training,” says Art Payne, the senior vice president and cofounder of cybersecurity training services provider Cypherpath.

That statement represents words security trainers should live by. Here are a few suggestions for how to manage information security in organizations:

• Put together a training matrix that identifies departments and job titles and what information security training they need. Then train the users to that matrix.
• Offer brown bag lunches where security officials present relevant topics that are in the news.
• Modernize your cyber defense technologies and put in place a budget that supports integration of new and improved cyber defense capabilities.

Implementing these three simple measures would increase the current level of cyber insecurity to a much more acceptable level. Here is the best part about it, two of the three cost nothing but an investment of a few hours of time from your cybersecurity staff. As for number three: you would not occupy an office that did not have locks on the doors, a physical security alarm systems and other protections appropriate to safeguard your corporate assets, would you? Then why do we have a different standard when it comes to cybersecurity and protecting our digital assets? It is just that simple.