It’s already been an exciting National Cybersecurity Awareness Month. More than “an annual campaign to raise awareness about the importance of cybersecurity,” as the U.S. Department of Homeland Security describes it, October began with bicameral congressional hearings into the high-profile cyberattack on one of the nation’s largest credit reporting agencies.
“Hearings into the Equifax breach that affected 143 million U.S. consumers could offer important, if painful, lessons on what companies should not do when it comes to protecting data and responding to incidents,” Washington Examiner stated last week. “The company reportedly made a half-hearted attempt to use available patches to seal up the vulnerability that hackers exploited … and [it] did not use Department of Homeland Security cyber-tools made available to all companies.”
The massive data breach at Equifax also highlights calls for enhanced cybersecurity, including a prescient appeal from an investigator at the U.S. Securities and Exchange Commission.
Where Legacy Fails
An SEC forensic unit warned of shabby cyber-defenses — hamstrung by insufficient training and equipment — a mere two months before the agency discovered an epic hack of its corporate filing system, according to Reuters last week. Instead of the necessary resources, the unit resorted to using obsolete and repurposed hardware.
And it’s not just the SEC. More than 70 percent of federal chief information officers said most of their applications are legacy systems, according to a Professional Services Council survey released last month. And weak points in old apps were among the top concerns of the CIOs suffering from increasingly frequent cyberattacks.
More broadly, 95 percent of federal employees and contractors want common cybersecurity standards across the government, according to a Telos report released last month. And 88 percent of respondents agreed on a specific framework that “effectively helps organizations manage risk.”
But that would only go so far.
Back To Basics
“Cybersecurity threats continue to increase in size and complexity,” Dark Reading stated last week. “But the real problem is that too many IT organizations are leaving their enterprises vulnerable to attacks because they overlook a number of simple tasks.”
Careless employees are the weakest cybersecurity link at small and medium-sized businesses in North America and the U.K., according to a Keeper Security and the Ponemon Institute study released last month. This underscores the importance of cybersecurity basics, such as heeding security software warnings. (Find other best practices for 2018 in this TechRepublic list from last week.)
“CISOs, CIOs and boards of directors [must] think about cybersecurity, not just in the terms of the IT shops they run, but all products — anything that potentially exposes the company to a cyberattack,” GE Global Chief Information and Product Cyber Security Officer Nasrin Rezai stated in CSO last week. She looks at securing an organization in three areas:
- Operational Technology (OT): Take special care when connecting parts of the business that had been secure only because they were isolated.
- Consumer Devices: Instead of just thinking about how to secure each device, focus on protecting all of your enterprise’s assets.
- Readiness: Cybersecurity drills must ensure that everyone — from IT to manufacturing — knows what to do in case of a breach.
And a lot more is changing. In fact, you might not recognize cybersecurity in a few years.
The Revolutionary Future Of Cybersecurity
Students at the University of Central Arkansas will learn how to detect and defend against cyberattacks, thanks to a $500,000 grant last week to create a “cyber range.” And a startup in New York recently raised $8 million to ensure that cybersecurity credentials always remain with the user, authenticating people via biometrics, such as fingerprints and faces, as well as traditional passwords.
Keeping credentials with the user is a reason why U.S. Social Security numbers — once the holy grail for identity thieves — may be obsolete for national identification, according to the White House’s cybersecurity coordinator. That’s because victims can’t even change their numbers after it’s been compromised.
“It’s a flawed system that we can’t roll back after a breach,” Rob Joyce said Tuesday at a cybersecurity summit last week. “The Social Security number has outlived its usefulness.”
Doing Our Part
Put in context — especially in the wake of 2017’s deadly hurricanes — a sufficiently massive cyberattack could be worse for U.S. infrastructure than hurricane season, according to an infrastructure security official at the Department of Energy. Deputy Secretary L. Devon Streit’s comments at a cybersecurity and infrastructure panel last week echo an upcoming department report comparing the hazards of natural disasters to those of cyberattacks.
“The most worrisome threat we face in the energy sector is cyber,” Streit said. Potential solutions in the works include a pilot program to declassify and share cybersecurity threat information with both government- and privately-owned infrastructure organizations.
More than a campaign, National Cybersecurity Awareness Month reminds us that there’s a lot at stake. And while others prepare to fend off future cyberattacks, the rest of us can use this month to refocus on best practices.
This story originally appeared on SAP’s Business Trends. Follow Derek on Twitter: @DKlobucher