October might be more commonly known for football, Halloween and kids trick-or-treating, but in the U.S. it is also National Cyber Security Awareness Month. Cyber threats are anything but harmless goblins one night a year and improvements in basic cyber blocking and tackling will make a meaningful difference. This is a critical topic, and while many of the discussions this month will focus on what organizations need to do to combat cyber threats, we need to continue a robust discussion about the role of individuals and governments in thwarting cyber attacks.
Today, approximately 80 percent of exploitable vulnerabilities are the direct result of poor or no cyber basics(1). But with some proactive and diligent practices – good security hygiene – there are simple actions each of us can take to guard against cyber threats.
#1: Stop, drop and don’t click if you don’t trust
Addressing the challenge of improving basic cyber hygiene presents a huge opportunity to positively impact the cyber protection profile for individual users; small business; the academic and non-profit community; as well as larger enterprises. Teaching users not to click on links or attachments from untrusted or unknown sources can help reduce the impact of phishing attacks, which today continues to present one of the most frequent…and successful attack vectors for gaining unauthorized access.
Additionally, basic fundamental protection steps such as periodic password changes; installing and updating anti-virus and anti-malware software; enabling firewall security; and ensuring regular operating system updates will also contribute to improving your cyber hygiene and overall cyber protection.
#2: Implement a National Education & Awareness Campaign
A comprehensive and sustained national education and awareness campaign will help educate users of all levels of sophistication how to better protect themselves in cyberspace. No one wants their identity stolen, their credit card information hijacked, their business intelligence or intellectual property pilfered…but many folks just do not know what steps or tools are the most effective, productive, and affordable that will actually make them safer and more secure.
Let’s build on the momentum of this month to bring industry, government, academia, non-profits, and other stakeholders together to develop and deliver messaging that raises awareness about the threat and common sense, practical, and affordable steps that all of us can take to improve our individual and collective cyber protection.
#3: Create a National Weather Service (NWS) for Cyber Security
Drawing upon the experience and lessons learned from the evolution of the National Weather Service, we should create a joint, integrated, public/private operational capability that has the ability to leverage information sharing, collaboration, and data analysis so we can identify and get ahead of emerging cyber threats in order to mitigate the risk.
The model used by the NWS proves that by collaboratively utilizing technology and data analysis, we are capable of achieving timely, reliable, and actionable situational awareness…during steady state and through thresholds of event escalation. Such awareness helps to identify patterns and trends of abnormal or even malicious network behavior, and permits the issuance of information such as alerts, warnings, and even recommended protective measures to proactively improve the detection, prevention, and mitigation of risks.
We will achieve greater success against cyber attacks if we leverage an integrated approach that includes industry, federal cyber centers and entities, state and local governments, along with our international allies. These efforts are essential to improving the detection, prevention, and mitigation of cyber events that may become incidents of national or even global consequence.
#4: Match the legal environment with the real world threat environment
The threat level in today’s world is as high as ever. Yet, our legal environment struggles to keep pace with these real world threats. To change this there needs to be a comprehensive examination of the current laws and regulations to reflect the needs of a digital world, while promoting economic growth and providing privacy and protection of civil liberties.
Several pending pieces of legislation attempt to address important issues such as information sharing; timely, reliable, and actionable situational awareness; liability protection; and privacy. It is important to have a broader view of the entire legal framework governing cybersecurity and critical infrastructure protection.
We take safeguards to ensure our little ghosts, cowboys and super heroes have a fun Halloween. Taking simple yet proven steps for cyber security hygiene can also ensure a safer online experience.
(1) Debora Plunkett, director of NSA’s Information Assurance Directorate (IAD)