(Continued from page 1)
differently from their peer group, flagging "anomalous behavior" without conducting a witch hunt, Powers explained. It's not simply a matter of notifying the "person of interest," but demonstrating to them that you are watching, he said. That creates a psychological constraint that should deter wrongdoing.
Corporations can shift resources more readily to cyber-defenses than can state governments. In this respect, government lags the private sector. "Our surveys show the average spend [on cyber-defense] across the states is about 2% of the total IT spend," said Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO). Contrast that with the 14% of IT spend the Federal government is devoting to cyber-security, or the 5%-8% of IT spend typical of the private sector.
"All governments and legislatures understand the security issue. They do not understand the aggressive nature of the threat," Robinson said. The effectiveness of the security spend is the challenge, since there is a "lack of integration between the business risk and the budget allocation," he added.
Cyber-security is a "never-ending journey," since the threat keeps on changing, Robinson noted. Recruiting the needed cyber-security people is a challenge since state and local governments can't compete with the private sector on salaries. The result is a "talent crisis" for state governments, Robinson said.
States are comparable in revenue to large global corporations, or even small nations. (If California were a country it would have the world's seventh largest economy, Robinson quipped). Each state is a huge repository for personal information for millions, or even tens of millions, of citizens, making the states hack-worthy targets.
Despite shortcomings in hiring and funding, there are steps states can take to improve their cyber-defenses. States can undertake consistent employee and contractor training to help avoid the mistakes that open access to IT systems. "It has to be a regular program delivered in digestible chunks," Robinson said. "It can't be one day every year."
Diagnostics and analysis can improve "defense in depth," spotting cyber intruders and shutting down their access to other parts of the data pool, Robinson added. States can also partition and classify their data, designating who has access and who does not.
It will take many steps to improve cyber-security, Robinson added. "It's not one silver bullet."
Raise the Bar
"People are starting to understand this is whack-a-mole," said Bill Stewart, executive vice president at consulting firm Booz Allen Hamilton. The best possible outcome in this scenario is a stalemate between the adversary and the cyber-defense. This breaks down as data grows exponentially, which is expected when the Internet of Things becomes commonplace. Stewart added that the whack-a-mole approach won't work for most companies. "There are not enough people," he said.
Security is a game of catch-up, since nothing is built at first with security in mind. That feature adds to cost. "We're adding these things on after the device is created. That is not optimal," Stewart said.
No matter how much security one adds, the enterprise will always be a target for cyber thieves. To paraphrase bank robber Willy Sutton, you hack a company because that's where the data is. "As long as there is value [to protect], there is no perfect security system," Stewart said. "But you can raise the bar."
The act of "raising the bar" means making it harder for the cyber thief to break in. That forces him to expend more resources to do so. If the resource cost becomes too high for the bad guys, some will drop out of the game.
Raising the bar could mean relying more on biometric log-on, or better credential management to limit access to data. Yes, this adds cost -- perhaps 5% to 7% -- but, as with much of IT, costs go down over time, Stewart noted.
You can even mitigate risk on the human side. "Educate the users so they are not as dumb as they once were," Stewart said. Simply getting workers to read an e-mail message before clicking on any attachment can be enough to thwart a spear-phishing attempt. With a phishing attempt, "there is always something wrong with them," Stewart pointed out. "They are not perfectly disguised." Companies can even test their employees by sending them "false phish," which when clicked would flag that employee for additional training.
Again, there is no single security fix that solves all problems. "You can't keep them out. But you can raise the bar," Stewart stressed.