Teaching cybersecurity akin to learning to drive

Enterprises have hardened their perimeters with VPNs, firewalls and intrusion detection systems, but routing protocols, the fundamental element of any corporate network, typically remain untouched.

Decades ago, the auto industry fought tooth and nail against adding safety equipment. Teaching drivers was the way to make the roads safer, it contended.

One can see a similar parallel with the debate over improving cybersecurity today. Last week, The Awareness and Outreach Task Force issued recommendations for raising cybersecurity awareness with proposals for everything from public service announcements to a teaching tour for C-level execs.

"Generally, many private enterprises, public entities and home users lack the resources to adequately manage cybersecurity risk," the task force said in its report. "Internet users must be made aware of the importance of sound cybersecurity practices and given more user-friendly tools to implement them."

The task force falls under the auspices of the National Cyber Security Partnership, a coalition of trade associations including the U.S. Chamber of Commerce and the Business Software Alliance. Some have said the recommendations perhaps frame security as a problem because users don't know enough, rather than as a consequence of insecure products.

There is nothing wrong with the recommendations per se, said Alan Paller, director of research at The SANS Institute. But the recommendations' thrust is "users are stupid," he said.

For Paller, user awareness is about 25% of the problem. The rest is finding ways to minimize security issues. Instead of recommending the government mandate security, he suggests the federal government can use its unique size as a technology purchaser to mandate software vendors sell products with recommended levels of security. "It's the only big thing the government can do," he said.

For example, Paller said computers should come with virtually everything turned off. The user would then be prompted to download patches when turning on services. He'd also like to see a secure way for people to download software updates they can trust.

Currently, many users are caught when they get a new system, which features an operating system that needs to be patched out of the box. "They get hit before they are able to download the necessary patches," Paller said.

Dig deeper on Security Awareness Training and Internal Threats-Information

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close