When I watch feats of great achievement, when a team of folks row across the Atlantic blindfolded, or hop to the Antarctic wearing nothing but a smile, I wonder how they must feel as they start this adventure. I’m sure it commences with a conversation about an opportunity to do something new, something different, something that will change things for the better. The enthusiasm will be high, the commitment will be there in words and then a plan is developed. This plan, that starts with training commences. Research is undertaken, risks are investigated and before they know it the day has come to get started. Off they go, motivation, energy and commitment as high as possible. They are given a great send off by all those around them and then it begins. After a few hours, maybe a couple of days that launch euphoria starts to wane, the memories of the initial enthusiasm fades and the true realisation of what they face starts to dawn. This is not going to be as easy, or as straight forward as they first considered – despite all the training, all the preparation, all the meetings. That is how the cyber world appears to be feeling this week.
This malaise was echoed on the Tech Times website who discussed the issue that many US government department websites still have major cyber security concerns. I don’t mean to single out the US here, as I’m sure the government websites of many countries have similar issues, but the tech and cyber security news does seem to have a very heavy US bias. On this site they reference a report published by an organisation called SecurityScorecard who undertook research to uncover the vulnerabilities of US government organisations. The data revealed that, out of all of the industries examined, ranging from health care to hospitality, the government ranked last in terms of cybersecurity.
They ranked the departments with a rudimentary grade from A through to D, but indicated how they can fluctuate greatly. For example, the IRS.gov had been near an “A” rating during October through March period. However, it fell to a “C” following a reported data breach. Researchers say it’s been showing improvement as its security has remained effective. They did note that the top performers had a few characteristics in common. Primarily, they excelled in the areas of application security, password disclosure and patching. It appears that some good work has been done, but there is still plenty more to do.
In a similar vein the website AutomatedBuildings.com discussed cybersecurity as no longer being a ‘nice to have’ but an essential part of doing business. They discussed at length the liability and legal aspects of this issue, noting that as many others already have, that cyber security is not just a technical issue. However, they were keen to state that, “The value of taking additional measures and procedures to increase the cyber security posture of your systems, far outweigh the risk of not making them secure”. This journey towards cyber utopia is much longer and far harder than I’m sure many initially thought it would be.
The Business Insider website continued this theme with an in-depth discussion on how hackers are targeting critical national infrastructure services, highlighting how in December 23, 2015, hackers took down the power grid in a region of Western Ukraine, triggering the first blackout ever caused by a cyber-attack. Although attacks against critical infrastructure have not had the level of success and sophistication as the attack in Ukraine, there is a growing concern that due to control systems that are increasingly being connected to the internet, we may see more successful attacks before the issue is completely resolved. When these control systems were put in place, decades ago, cyber security was not a major concern, so they are in a retrospective correction phase that could not have been predicted when they commenced on their ‘connected’ journey.
The one piece of news that didn’t seem to have that feeling of mid journey malaise about it, was one from the news site CNBC, who pointed out a modern interpretation of the old saying that ‘every cloud does have a silver lining’. Huge data breaches are good for some people – and not just the criminals – but for those who hold shares in cyber security companies. They point out that during the period since Jan 2011 the public IT security sector outperformed the stock market by more than two times, and outperformed the market by about five times the month notable breaches were made public.
To all of those working in cyber, keep on going, one day at a time It’s going to be tough and it’s going to be frustrating. You may not feel fully prepared and there will be risks you didn’t expect. If it does get too much, then perhaps do something a little easier – like row across the Atlantic, blindfolded!
For links to all these stories and more, or to contribute with some comments join us by searching for the National Cyber Skills Centre on our social channels of FaceBook, LinkedIn and Twitter, or just click the relevant links from our website.