Wash, Rinse, Repeat: The Increasing Importance of Cyber Hygiene

AAEAAQAAAAAAAAkzAAAAJGQ2Y2I4YmZjLTEzMzYtNGE1Mi05NTRmLWQxOTA0ZWZkM2UwMA

This post originally appeared on LinkedIn.

Anyone who has worked in the cybersecurity community for more than five minutes knows the infamous Pentagon jump drive story: An experiment was conducted to see how many people who worked in the Pentagon, headquarters for our nation’s national defense, would pick up a random jump drive in the parking lot and later insert it into their office computers.

The uptake rate was alarming. Hundreds of people ultimately “used” the random drives. If they had been infected with malware from a nefarious source, it could have been an absolute nightmare.

Many experts believe the Stuxnet virus, which slowed the development of Iran’s nuclear program, was introduced into the operation’s data network using a similar technique – an unsuspecting employee at the facility using an infected jump drive.

But defense and national security organizations are far from the only targets. According to analysis from Threatpost, inbox-based scams robbed U.S. companies of $263 million in 2015 alone.

When it comes to managing security on our global digital network, experts often say the greatest challenge is with the individual network users. It’s a PICNIC (Problem in Chair, Not in Computer). We can have all of the proper defenses and monitoring tools installed on our systems, but it only takes one end user to inadvertently circumvent that security and introduce a malware element from a criminal organization, an enemy nation state, or just a hactivist trolling for LOLs.

Understanding the risks presented by the people using the network, not just the network itself, is critically important to safeguarding our economy, our critical infrastructure and our national security.

But network security is extraordinarily complex and, unfortunately, complexity is the enemy of conformity and compliance when it comes to the human side of cybersecurity. Cyber hygiene involves not just ensuring our passwords are unique and updated frequently (20 characters! Really?), but also situational awareness concerning and understanding the numerous ways hackers attempt to gain access to networks.

Those working to infiltrate a network will always explore access through the weakest point of entry, and that usually involves an end user connected to the system – a human.  Therefore it is critically important that employees, service vendors and other parties with access to an organization’s network receive training and ongoing updates concerning their role in keeping the bad guys out.

Legislation recently introduced in Congress is designed to develop a set of voluntary best practices concerning cyber hygiene that can be used across our data networks. This is a critical first step in the government’s effort to become more involved in the human element of network protection while at the same time doing more to stop the bad guys before they get in, but it is only that – a first step. There is much more that needs to be done to automate our network protections, and mandatory actions have to be a part of the equation.

Consider the seat belt debate in the late ‘80s or the now seemingly resolved issue of smoking in public spaces. In both cases, it was deemed not only impossible to enforce rules or laws associated with these two issues, but also thought to be an infringement on an individual’s rights. However, the concern for the greater public good won out in the end, and laws curbing smoking and mandating seat belt use are widely accepted and vigorously enforced. We need the same level of government intervention when it comes to protecting our nation’s digital networks not from a punitive standpoint, but from a posture of awareness and engagement.

In the meantime, organizations have to be much more vigilant in communicating the importance of exercising good cyber hygiene by reinforcing best practices and alerting their network’s users when a cyber-incident is discovered and resolved. Training should be given to all new users of the network, including employees and vendors, and they should be required to take annual training to reiterate best practices and to increase their awareness of new threats. Those found guilty of multiple infractions over a period of time should be recommended for remedial training.

Ultimately, maintaining proper cyber hygiene is certainly about the operational wellbeing of any organization and the protection of sensitive data including client information and proprietary company data. However, it’s also about the long-term reputation of the business as a safe and sound operation that takes network security seriously. All it takes is one data incident, and for that matter one employee, to bring down an operation. Give your team the tools they need to ensure that the bad guys don’t use them to gain access to your crown jewels.

Corey Ealons is a partner with VOX Global, a former White House communications spokesperson, and co-chair of the VOX Cybersecurity Practice.

Tagged In

Cybersecurity

Wash, Rinse, Repeat: The Increasing Importance of Cyber Hygiene

AAEAAQAAAAAAAAkzAAAAJGQ2Y2I4YmZjLTEzMzYtNGE1Mi05NTRmLWQxOTA0ZWZkM2UwMA

This post originally appeared on LinkedIn.
Anyone who has worked in the cybersecurity community for more than five minutes knows the infamous Pentagon jump drive story: An experiment was conducted to see how many people who worked in the Pentagon, headquarters for our nation’s national defense, would pick up a random jump drive in the parking lot and later insert it into their office computers.
The uptake rate was alarming. Hundreds of people ultimately “used” the random drives. If they had been infected with malware from a nefarious source, it could have been an absolute nightmare.
Many experts believe the Stuxnet virus, which slowed the development of Iran’s nuclear program, was introduced into the operation’s data network using a similar technique – an …

Continue reading >

Tagged In

Cybersecurity

The Intersection

The Intersection is an in-depth series designed to help you anticipate and prepare for public policy challenges and opportunities.

View the Intersection

The latest from the blog

See all posts >