Government and industry may be looking in the wrong place when trying to beef up cybersecurity in their institutions.
A handful of government officials, industry employees and experts think the biggest problem in cybersecurity is in the training of the average person.
Cybersecurity has been on everyone’s mind in the past couple of years after a slew of cyber attacks compromised the personal information of millions of federal workers, regular citizens and military personnel.
The Office of Personnel Management hacks exposed 22 million federal workers’ information. The Target hackers stole financial information from 40 million people and the Navy’s unclassified computers were hacked by Iran in 2013.
At this point it’s hard to find someone who has not had some information taken from them by hackers.
The government has been trying to crack down. Defense Secretary Ash Carter announced the Defense Department would spend $35 billion on cybersecurity over the next five years.
The Homeland Security Department is working on its next iteration of its EINSTIEN program.
But, programs and investments may not be what are needed. What government and industry really need is education.
The crux of the issue is that there is a gap between best practices and the training and knowledge in those best practices, experts said.
“This is pretty much a fact, if we use all the best practices that are already available to us, we would kill 80 percent of all breaches”, said Mike Echols, director of DHS National Protection and Program Directorate, Joint Program Management Office at a March 11 OSIsoft event in Arlington, Virginia.
“The problem is we don’t all have the same education, we don’t all have the same amount of resources, we aren’t all taking the same levels of risk,” he said.
Linus Barloon, director of cybersecurity for the Senate Sergeant at Arms has a similar philosophy.
“It’s easy to scan a device for a patch. It’s much more difficult to understand, ‘What does a user not understand?” Barloon said at a Red Seal event last month.
Barloon said during an audit he performed, he asked users who they would call if they were hacked. Zero of the 15 people knew who to call.
“If the user doesn’t tell [the right person] there’s a problem the perimeter has changed. The simple phone call of ‘I think I’ve been breached, I think I’ve been hacked,’ however the user explains it. That starts a new set of detect, react and recover responses,” Barloon said.
Government officials have said they are feeling a talent slump when it comes to tech savvy employees entering the public workforce. But, when it comes to cybersecurity, the private sector is dealing with the same problems as government.
“This is one of those areas where government and industry are quite well aligned,” said Steve Sarnecki, vice president of federal for OSIsoft in an interview with Federal News Radio. “They both don’t know it and they both might resent being put into that same boat, but they are struggling with the same problem, which is the proliferation of information, the reduction in the number of people.”
Experts said government and industry want their reduced workforce to focus on their hired skills and not constantly on cybersecurity.
At the same time, cybersecurity training is often pushed off and ignored. Employees may multitask while going through mandatory training.
Echols said government and industry need to explain why cybersecurity is important to employees.
“It’s not as simple as taking an IT compliance course because the CIO or the CISO says you must do it, it’s taking that course and understanding that this is going to help me do my part on the team,” Echols said. “The first key is to help people understand why it’s important to them.”