Minerva Studio - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Lack of cybersecurity awareness linked to CIOs

Widespread security “ignorance” may soon change as calls for executive accountability grow louder.

This article can also be found in the Premium Editorial Download: Information Security magazine: Defending against the digital invasion:

With all the defenses thrown at information security, most organizations are just a click away from an employee downloading potential malware and undetected viruses. Yet, according to a CompTIA survey of HR professionals, only one-third of U.S. organizations require cybersecurity awareness training for employees. And in more than half of the companies surveyed, it’s the CIO or director of IT who decides whether to provide mandatory security training. What exactly is going on? 

Spear phishing is suspected as the lynchpin that started the Sony Pictures Entertainment hacking incident -- an employee likely opened a targeted email and clicked on a malicious link. The hackers stayed in the movie studio’s network undetected for months, according to several reports, including a detailed account in Vanity Fair, mapping the infrastructure and preparing to hold the company’s data “hostage.” The attackers made their presence known in late November with vague demands, and then released humiliating data publicly over several agonizing months in a series of eight information dumps.

Lack of cybersecurity awareness is also becoming unacceptable at executive levels.

Think you’re immune to this type of scenario? Not so, warns the SANS Institute’s CTO Johannes Ullrich, who heads the Internet Storm Center, in his cover story on emerging cyberthreats. Crypto ransomware, which has proved lucrative for attackers, is likely to target more enterprises in the year ahead.

In addition to preventive strategies like education, security researchers such as White Ops’ Chief Scientist Dan Kaminsky are talking about faster detection and response to socially engineered intrusions. Sally Johnson interviewed Kaminsky for her article on the dynamics of social engineering and found a shift in defense strategies toward data-centric protection mechanisms.

Lack of cybersecurity awareness is becoming less acceptable. In addition to calls for shareholders to hold the top executives accountable for costly data exposures, similar tactics can be employed with third-party vendors. Organizations should require the CEOs of contractors to sign off on all service-level agreements, Rebecca Herold tells Marcus Ranum in a wide-ranging Q&A on data security and privacy best practices. Herold, CEO of the Privacy Professor, has conducted numerous surveys for clients that indicate third-party IT technicians who are responsible for enforcing service-level agreement security measures have no idea what’s actually been promised in the respective agreements.

While companies continue to throw money at information security, many enterprises could get away with fewer security staff if they focused on getting the basics right. At least that’s the view held by John Pescatore, SANS’ director of emerging trends, who feels that way even though he works for a global  security training and certification institute. Technology journalist Alan Earls interviewed Pescatore, among others, for his in-depth look at cybersecurity hiring trends.

So what’s the upshot to all of this? Little to no training, lack of cybersecurity awareness, and being uninformed are no longer tolerable excuses for vulnerabilities that expose organizations, and the sensitive data they are responsible for protecting to damaging breaches, even when the security weakness is traced to a third party. As Derek Bok, who twice served as Harvard University president, once said: If you think education is expensive, try ignorance.

This was last published in April 2015

Dig Deeper on Security Awareness Training and Internal Threats-Information

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

The problem we face here is that security is always someone else's problem. By which I mean MY desktop is secure, MY network is secure and if the system fails, it's YOUR fault.... Or at least it's your JOB, certainly not mine....

The solution isn't as simple as simply locking the door behind us (my job). Or installing better doors (your job). There's an enterprise-wide awareness that's missing. Call it ignorance if you like, but I think the problem runs much deeper.

The real problem is that the solution, all the solutions, are fundamentally flawed. No matter how carefully we lock down everything, it's really - be honest, REALLY - very easy to pry open again. And being unaware of that is something much worse than ignorance. Intransigence, Obliviousness.

We need a new solution. A better solution. If that's coming from the C Level, it needs to be fixed fast. Just learning that we have a problem or learned to slam the same door a bit tighter is false security.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close