INDUSTRY INSIGHT

Cybersecurity is a team sport, but it’s no game

We can all do something to address the growing cybersecurity challenge. Individual users, small departments and large agencies alike can take steps to improve our individual and collective cybersecurity posture.

It is estimated that roughly 80 percent of exploitable vulnerabilities in cyberspace are a result of poor or nonexistent cyber hygiene -- the basic, fundamental protection measures that improve defense while making it more difficult and more expensive for the bad guys to perpetrate an intrusion.

Additionally, the proliferation of mobile devices and the increasing desire of the workforce to use their personal devices for work add to the challenge of personal and corporate cyber risk management. Unfortunately, many users still do not know what to do to better protect themselves and their devices. With agencies’ often-limited resources to devote to cyber protection, it is essential that their employees have access to reliable information to enhance their cyber protection profile.

Building upon the good work and content provided through US Stay Safe Online and UK Get Safe Online, agencies can teach users of all levels of sophistication about measures that will reduce the risk of cyber intrusions. Managing passwords, installing software updates and not opening links and attachments contained in unrecognized or untrusted emails will help us all move to a sustained security culture.

While basic measures of cyber hygiene alone will by no means totally solve the cybersecurity challenge, implementation of such measures will raise the bar of protection and contribute to improved security and resilience.

For larger agencies, the challenge is more difficult, and simply buying every new tool may not be productive. Rather, by taking a true enterprise risk management approach, with oversight and priority affirmed at the senior level, the culture of security can permeate the agency. Training employees and periodically testing the environment will also help reduce the impact of phishing attacks, which remain a key tactic adversaries use to gain unauthorized access to personal, small agency and enterprise networks.

Examining the economics of cybersecurity will better prepare agency risk managers to make informed decisions around investments in cybersecurity. Two white papers prepared by the AFCEA Cyber Committee explain the factors influencing cybersecurity investment across different threat levels:

The Economics of Cybersecurity: A Practical Framework for Cybersecurity Investment and The Economics of Cybersecurity Part II: Extending the Cybersecurity Framework.

What else can we do?

Long overdue, is a joint, integrated, public-private operational capability that relies on information sharing, analysis and collaboration to achieve timely, reliable and actionable cyber situational awareness. Such a system could identify patterns and trends of abnormal, anomalous, or even malicious network behavior and issue alerts to improve detection, prevention and mitigation of cyber events. Agencies such as the National Weather Service and Centers for Disease Control and Prevention both provide real life, tangible models of how to leverage technology and information sharing and analysis to improve protection and reduce the risk of serious impact.

Also essential is a true National Cyber Incident Response Plan that identifies the roles and responsibilities of public and private sector entities during steady state as well as times of escalation of a cyber event. It should be a dynamic and evolving affirmation of the rules of engagement, and be periodically tested to identify gaps and areas for improvement.

It is clear that all of us can take steps to address the growing risk of cybersecurity. Whether small agencies implement low-cost measures to improve their cyber hygiene and raise the bar of protection or a larger enterprise with a broader risk surface takes an enterprise risk management approach, there is an opportunity for all of us to contribute to improving security and resilience in cyberspace.

By raising the overall bar of cyber protection, it becomes more difficult and more expensive for cyber criminals and other nefarious actors to achieve their objectives. Cybersecurity is a team sport and working together we can make a meaningful difference. It is time for all of us to do our part… let’s get to it.