Suggestions to follow cybersecurity guidelines isn’t sufficient
An opinion piece by Douglas James
There’s a huge push on both the legislative and private sector levels to rapidly increase cybersecurity competence across the board. In the United States, we witnessed three harrowing infrastructure attacks over the past several months. Namely SolarWinds, Kaseya, and the Colonial Pipeline. While eventually contained, they represented two serious facts. Infrastructure attacks are on the rise and there are not enough experts to mitigate strikes of this scope.
From legacy systems to outdated views on security, what lead to these successful attacks is a nest of issues. A society-conscious view on cybersecurity important just isn’t there yet, combined with a serious lack of cyber and IT experts in the appropriate fields. It’s right in step with the surge of malicious attacks on all important sectors, from complex phishing schemes to dangerous ransomware deployments. And, unlike the days where such operations were carried out by trained, government entities, the ability to hack has grown into something downright commercial.
Meanwhile, a comparable level of accessibility isn’t present in the cybersecurity realm. Yet.
What improvements can we expect to see in cybersecurity?
Early in 2021, the Biden administration started an aggressive effort to renovate cybersecurity infrastructure. Mainly, in response to the three major attacks I mentioned. The details of said effort involved injecting financial resources into a fledgling cybersecurity infrastructure while calling on enterprises to increase their training efforts for a renewed expert workforce.
You’ll notice the wording here: calling on enterprises. In other words, private businesses and agencies. Right now, major tech giants like Google, Microsoft, and Amazon are on stage to lead a campaign for both improved security awareness and training. While it is indeed significant for tech leaders to take charge of cybersecurity, thereby inspiring other businesses to follow, it’s only a piece of the entire defensive puzzle.
But as for concentrated efforts, it varies from company to company. In the case of Google, for example, the company aims to hire and train a minimum of 100,000 staff who are experts in cybersecurity, educated via the Google Career Certificate program. Google also intends to invest $10 billion in cybersecurity efforts. Then there’s Amazon, seeking to invest $20 billion while requiring all AWS-based devices to have multi-factor authentication.
Cash can’t fix it all
A couple of things, though. First, notice the intent is to “invest billions,” which is essentially tossing cash at the problem. How many fires have been put out by launching dollars into it? It’s the same, I know, but you understand the metaphor. Secondly, it puts the onus of control and defensive measures in the hands of private entities.
While suppliers, private enterprises, and companies absolutely have a responsibility to improve cybersecurity measures, it places a huge amount of majority control in their hands. The reality is, though, cybersecurity must be a joint effort. And, arguably, a regulatory one. Naturally, given the pushback against regulation in all sectors, it’s easier (for now) to see businesses handle the cybersecurity approach while minding advisement and security strategies. But what this implies is enforcing standards and security measures is ultimately a voluntary one.
“Please be secure, that’d be great”
Here’s a problem: the demand for better cybersecurity is voluntary as it stands. Additionally, a lot of is simply tossing cash at the problem. There’s more to cybersecurity than asking nicely and handing out money for “better defense.”
But the thing is, cybersecurity standards are not mandated. CISA, federal experts, and the FBI have recommended guidelines for every enterprise to follow. However, any entity can ultimately ignore those guidelines, regardless of their importance. But even if a business does utilize those guidelines while enforcing its own policies, that’s not a guarantee staff will follow through.
In remote work environments, some staff intentionally go around cybersecurity requirements while home distractions cause unintended lapses in cybersecurity judgment, according to a study. So, on one hand, some might outright ignore cybersecurity guidelines depending on the rule. And, that’s only if an enterprise elects to follow cyber guidelines and recommended security strategies.
Let’s be real: we’ve seen a pandemic ravage the world because working adults couldn’t be bothered to follow suggested safety guidelines. When you imagine that lack of awareness and responsibility in the cyber world, you get problems. Problems like major enterprise breaches, data loss, financial damages, and threats to personal security/privacy.
Implementations of mandated policies, at least to some degree, is necessary for the health and safety of cybersecurity ventures.