The future of cyber security depends on awareness and education, not software solutions, according to local industry members who participated in a Daily Transcript executive roundtable.
“The first line of defense is behavior, and we’ve got a long way to go,” said Ruben Barrales, president and CEO of the San Diego Regional Chamber of Commerce. The chamber is a founding partner of “Securing our eCity,” an ESET-led initiative to put San Diego among the most cyber-secure cities in America.
Software can be made to the ceiling of current technological development, Barrales and others said, but can’t prevent much if end users aren’t adequately educated on safe Web practices.
Darin Anderson, COO of roundtable sponsor ESET, said there’s no perfect solution, but the closest outcome would combine cutting-edge technology with layered defenses of behavioral education.
Metaphorically comparing the dangers of operating in cyber space with operating a car on the highway, he suggested a basic level of competency and education of end users that’s comparable to a driver’s license.
“People don’t know what they don’t know,” said Liz Fraumann, director of cyber security awareness and education for ESET, and the company’s point person for the Securing our eCity initiative.
Ken Hamilton, president of CMIT Solutions of Inland North County, said the degree to which employees are unaware of the danger they expose their employers to can be seen by tracking traffic to online retailers. After employees return from lunch, traffic to online shopping sites spikes, peaking around 1:30 p.m. Employees should never access e-commerce sites through work computers, he said.
A company’s exposure to malware through employees accessing social networking sites is tremendous as well, according to David Sherwood, COO of Regents Bank.
Earlier in the week, it was reported that Health Net (NYSE: HNT) exposed nearly 2 million current and past enrollees, including 845,000 Californians, to identity theft when their personal records were lost in a cyber security breach. The second major ping in the last two years for the Woodland Hills-based insurer, the breach occurred when company hard drives containing unencrypted data went missing.
Too many potential targets of hackers believe they’re safe from cyber threats, the panel said.
While too many individuals believe the large companies they entrust their personal information with take adequate cyber security measures, it’s also true that too many small companies believe they don’t have anything of value to hackers. And then there’s the problem of employees not knowing what online activities are safe to conduct on work computers.
“If we were aware of all the threats out there, many of us wouldn’t use the Internet,” said Camille Sobrian Saltman, president and COO of Connect.
Securing our eCity seeks not only to teach companies to control the Web behavior of their employees, but also to reach out to small companies to let them know that their employees’ Social Security numbers and other personal data is valued by hackers.
“To small companies, cyber security just sounds expensive,” Barrales said.
But for those small companies that understand the threat, it’s significantly easier to affect employee behavior.
“The message gets diluted for each filter it passes through before it gets to an individual employee,” Hamilton said.
Lou Kelly, executive board chairman of the Center for Commercialization of Advanced Technology (CCAT), said his organization, with its association with the Department of Defense (DOD), is approaching cyber security as a tech push, not an issue of awareness.
As in most matters of technology, the direction taken by the DOD directly affects the direction of the private sector, according to Kelly.
The DOD and Homeland Security are by far the most frequent targets of cyber attacks. CCAT is working to create a next-generation cyber platform within the DOD that moves from the current passive detection method to an active defense approach, Kelly said. Recently, it’s been discussed that the Defense Advanced Research Projects Agency (DARPA) would join the effort.
The personal computer era was not launched with cyber security in mind, according to Kelly. CCAT is attempting to take a step back, to see if a platform can be created in which it’s impossible to introduce malware to the operating system.
But the biggest change -- and thus the biggest challenge -- facing cyber security efforts is the move to cloud computing.
The cloud computing market is booming, Hamilton said, and small businesses are likely to be the earliest adopters, given its promise of providing the same high-end services enjoyed by large businesses, at significantly reduced costs. And while cloud servers are safer, due to their robust power and redundant resources; it isn’t necessarily the case that a move to cloud computing makes cyber security an easier proposition.
Despite the benefits cloud computing offers, the amount of information contained on its servers increases the reward of a successful hack.
“Different criminals pursue different criminal enterprises,” Anderson said, likening the criminals that will target cloud servers versus those that attack small business servers to the difference between organized crime and a pickpocket.
In fact, roughly 65 percent of organized crime rings are now involved in cyber crime, according to Fraumann.
Hamilton suggested that Congress might eventually have to pass legislation that establishes standards for public CIOs, similar to the Sarbanes-Oxley Act, which did the same for public company boards and management in reaction to the Enron and WorldCom scandals.
Darin Andersen, COO, ESET (Sponsor)
Ruben Barrales, President & CEO, San Diego Regional Chamber of Commerce
Liz Fraumann, Director of Cyber Security Awareness & Education, ESET (Sponsor)
Ken Hamilton, President, CMIT Solutions of Inland North County
Lou Kelly, Executive Board Chairman, Center for Commercialization of Advanced Technology
Camille Sobrian Saltman, President & COO, Connect
David Sherwood, COO, Regents Bank