I again find myself reviewing Michael Kassner in TechRepublic. His June 23 article does a great job explaining why were are currently losing more battles than we are winning in the realm of cyber-security. The problem is that we live in disruptive times. The Internet has completely changed the balance of power, and the bad guys quite frankly are more willing to learn how to exploit the technology and more nimble and quicker to adapt the good guys are.
Some examples of how our leadership is failing at this game are recounted: Senator Ted Stevens, the chairman of the Senate Telecommunications Committee, and his famously hilarious explanation on how the Internet is a series of giant tubes. Or how the Supreme Court , where telecommunications and cyber-security laws go for judicial review, and how the justices “haven’t gotten around to email yet.” Or how President Obama, our Blackberry wielding “technology president,” after listening to an NSA briefing, asked the have it repeated “in English this time.” How can we expect useful laws or cogent policy out of a group of tottering fossils who just don’t “get it,” and more problematically, don’t want to.
The problem is that there is a huge cyber-awareness gap in not just the government, but throughout business, professional, and educational ranks of everyday computer users as well. This is not a gap that the cyber-criminals share with their targeted victims. The bad guys are going back to school so to speak and learning what they need to know to prevail. They continue to improve, upgrade their skills, and become more dangerous. Unfortunately, the vast base of cyber-targets and cyber-victims sit idly by hoping nothing bad will happen to them, and explaining weakly how they are “computer illiterate,” and yet avoid all opportunities to learn new skills and become “computer savvy” instead.
And what about people like me who are trained in computers, networks, and cyber-security. What happens when we advise our employers or clients about these vulnerabilities, and we offer solutions or improvements that would help secure these digital assets. Well, mostly we are ignored or dismissed. It is too expensive, not in the budget. It is too complicated. And God forbid that it would require employee training – there is no training budget either.
I have used this analogy previously in other articles I have written on this subject. We have all developed a fairly high level of competency around another complex piece of technology – the automobile. We all learned how to drive, and we all learned some basic maintenance techniques, even if we let others do the actual work. We all learned how to drive safely, how to drive defensively. You NEVER hear someone admit that they are a bad driver, and incompetent driver, or that they are “automobile illiterate,” do you?
What is my point? The way to cyber-security is through caring enough to learn what you need to know to be computer savvy. You need to want it, just like your 16 year old self wanted that driver’s license and the car that came with it. You need to want it not because it is your future, but because it is your present. Because your banking and investments, credit cards, medical records, tax records, and everything else are in computer databases somewhere, and you need to know how to protect those assets. Because if some bad guys gets into your account, it is probably because you fell for a spoofed email, clicked on a link, and gave the bad guys your user name and password.
Want to beat the bad guys? Then go learn how! Every school district has Community Education classes that cover topics like computer security. And I am sure there are resources in other places as well. Go find them, enroll, and learn how to defend your digital life from digital thieves. Because if you are waiting for the government to help you, it ain’t gonna happen.
What about you, the business owner? Well a great start would be to train your employees how to recognize simple email and web exploits and avoid them. Computer intrusion losses come to $1500 per year per employee. There is your training budget – and then some. The fact is you are already paying NOT to be secure. Why not spend the money where you should, instead of where you already are? With the money you save, you will be able to budget for the other items and solutions your IT staff is telling you that you need.Share
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com