As global use of connected devices–including those used for life-saving purposes—grows, a new survey from ISACA shows that there is a significant confidence gap between consumers and cybersecurity and IT professionals. In fact, while 64% of US consumers say they are confident they can control information conveyed through Internet of Things (IoT) devices, 78% of professionals say security standards are insufficient.
According to ISACA’s 2015 IT Risk/Reward Barometer, the number one IoT-related security concern for enterprises is data leakage. Nearly half of the more than 7,000 global professionals surveyed think their IT department is not aware of all of the organization’s connected devices (e.g., connected thermostats, TVs, fire alarms), yet 73% believe the likelihood of being hacked through an IoT device is medium or high. All while 72% say that IoT device manufacturers do not implement sufficient security.
It is clear that further education and awareness efforts are needed. Now. The number of B2B IoT devices is expected to grow from 1.2 billion connected devices in 2015 to 5.4 billion in 2020. That is a lot of important personal and confidential data being shared, transported and used by often unknown entities.
On the flip side, there is a significant business risk if organizations do not embrace IoT. They may lag behind competitors and upstarts, and risk losing revenue and reputation. In addition, enterprises do gain value from IoT. Specifically, global survey respondents reported that the greatest benefits of using IoT are:
* Greater accessibility to information (44%)
* Greater efficiency (35%)
* Improved services (34%)
* Increased employee productivity (25%)
* Increased customer satisfaction (23%)
The key is to balance risk with benefits, and I encourage professionals and consumers to safely embrace IoT devices. To help do this, ensure all devices are updated regularly with security upgrades, take cyber security training, be wary about information shared and stay alert for unusual behavior at all times. The future is bright. Or at least that’s what my connected watch tells me.
Rob Clyde, CISM
International Vice President and Board Director, ISACA
Managing Director, Clyde Consulting LLC
Note: ISACA’s annual IT Risk/Reward Barometer is a global indicator of trust and attitudes. The 2015 study is based on polling of 7,016 ISACA members in 140 countries and additional surveys among 1,227 consumers in the US, 1,025 consumers in the UK, 1,060 consumers in Australia, 1,027 consumers in India and 1,057 consumers in Mexico. To see the full results, visitwww.isaca.org/risk-reward-barometer.
National Cybersecurity Awareness Month in October is the perfect time to reflect on what you’re doing to overcome the cybersecurity skills shortage. That’s right – you – personally. According to Dr. Jane LeClair, COO for the National Cybersecurity Institute at Excelsior College, the cybersecurity skills shortage is everyone’s problem, and we all have a responsibility to meet this need.
Dr. LeClair believes that in order to shore up the workforce, it’s essential to broaden the pool of candidates beyond typical populations (such as the military and IT). Dr. LeClair sees cybersecurity awareness – both its impact on our daily lives and as a career opportunity – as the perfect vehicle to achieve this.
So, rather than providing courses only to people who are pursuing a formal cybersecurity education and are on a professional track, the NCI offers both career-oriented education AND informal awareness courses and content.
By combining public awareness of cybersecurity issues with career-oriented education, the NCI is hoping to attract as many people as possible to the field. Through robust (often free) courses, such as “Introduction to Cybersecurity,” monthly webcasts and a daily blog, they are hoping to give people a voice to discuss issues that are important to them and an outlet for increasing their knowledge. Dr. LeClair challenges, “If cybersecurity is so vital in our daily lives, shouldn’t we all be doing everything we can to help?”
She states, “People can get complacent, so it’s important that we keep cybersecurity in front of them and keep it fresh. We know people are interested in these issues, and the informal learning piece helps them continue to learn as the industry changes.”
NCI’s ultimate goal is to teach people to like cybersecurity, whether they go on to pursue a career or just have their cybersecurity consciousness elevated. Dr. LeClair asserts, “Cybersecurity is a lifelong, daily learning opportunity. We want people to develop a personal enjoyment and passion for it in order to be strong, lifelong learners.”
The NCI is tackling the issue both from the bottom up and the top down. Through their MBA cybersecurity program, they aim to raise awareness at a managerial level. Dr. LeClair believes organizations have a deep need to realize how important cybersecurity is and that if management embraces the message, it will trickle down to all employees.
These programs are gaining a lot of traction, and Dr. LeClair knows they’re on to something. So, they’ve ramped up their National Cybersecurity Awareness Month efforts this year:
Offer daily podcasts.
Post a different game every day.
Offer a free, live event on cyber law and cyber insurance.
Post one case study per week that people can use within their organizations to get discussions going about cybersecurity.
It’s easy to think that by avoiding those links that could crash your company’s network and not falling for those emails from Nigerian princes, you’re doing enough. But what if we all had cybersecurity awareness ingrained in us? What if children began learning about cybersecurity as a career option early in school? What if cybersecurity education was accessible to ALL people, rather than just an elite group already on the path to a lifelong cybersecurity career? We could actually improve the global cybersecurity situation. For more information on the GAP, please visit https://www.isc2.org/global-academic-program/default.aspx or send an email to academic@isc2.org.
We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Steve Winterfeld: Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World (2015) by Bruce Schneier
Executive Summary
Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World is Bruce Schneier’s manifesto on what should be done about the amount, and controls around data being collected on us. If, like me, you have been focused on Information Security this book is a great exposure to the privacy issues our profession is facing. The book is more focused on policy than practical application, but worth the read for the background and ideas presented.
Data and Goliath is a call to action around two topics: first, the cultural acceptance of not owning our personal data or understanding how it is being used; and second, the difference between nation-state espionage and mass surveillance. Trying to reduce the themes of the book to just a couple of points is a gross oversimplification. This book belongs in the Canon due to the foundational and timeless issues it addresses for our industry. Finally, don’t let the 400-page length intimidate you, as the text of the book is only 238 pages with the rest being reference notes.
Review
Schneier’s first books were all about cryptography, and he has been part of developing multiple cryptographic algorithms. Over time, he has moved to broader security issues (Secrets and Liesis still a relevant foundational book today). Now, he is addressing national policy, market economics, and privacy expiations around demographics like generational differences.
Data and Goliath is a call to action aimed at the U.S. While it addresses international issues and laws, Schneier acknowledges the fact that it is U.S.-focused. Some of this can be credited to Edward Snowden’s exposing of National Security Agency (NSA) documents. Schneider is a supporter of Snowden and his actions.
The book is organized into three sections: the world we are creating, what’s at stake, andwhat to do about it.
The world we are creating covers types, and the amount of personal data we are collecting — mass surveillance, how is it is being used, and who is using it. This section provides the background and evidence for his positions and conclusions. He provides examples on cell phone providers tracking not just you, but who you are with; companies selling data on gullible seniors; and purchasing patterns revealing if you’re pregnant. The last example was from when advertisements on the pregnancy were sent to family, which is how the father found out his daughter was pregnant. One of the more interesting points covered is how long data is stored. How long does your phone company need to know where you were? Should they have the right to sell this info? Do you realize you have no rights as to how your personal data is used?
What’s at stake starts with political perspective (liberty and justice), commercial aspects (fairness and equality), and looks at privacy vs. security facets of the issue. Schneier proposes that mass surveillance by commercial companies or governments has chilling effects on social change, leads to censorship, and facilitates surveillance-based manipulation. Additionally, he points out examples of accusation by data after the fact, cases of institutional abuse, and governments stockpiling vulnerabilities or building in backdoors. He builds a strong case for what the NSA has cost U.S. companies in international business after Snowden revealed how they were collaborating. He does acknowledge the same would be true in other countries like China and companies like Huawei.
One key idea for me was: “Science fiction writer Charles Stross described this as the end of prehistory.” What is the impact of your actions being tracked and stored for the rest of your life? Do you want to have to explain your actions at 21 when you’re 45?
What to do about it provides actionable advice to governments, corporations and the average citizen. The book looks at social norms and big data trade-offs. This section talks about the security to surveillance trade-off and covers comparing police to national surveillance, as it pertains to protecting citizens. It looks at institutional vs. individual power and comes down hard on the NSA and FISA court. In fact, Schneier proposes that the Communications Security mission should be split off from the Signals Intelligence mission of the NSA and given to the National Institute of Standards and Technology. He calls for whistleblowing protection organizations and talks about how Snowden could not get a fair trial under the current system. Finally, he outlines concerns around movements to nationalize the Internet.
Here are the notable guidance references: Necessary and Proportionate principles, Executive Order 12333, Section 215 of PATRIOT act and Section 702 of the Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008, Communications Assistance for Law Enforcement Act, Posse Comitatus Act, Organisation for Economic Co-operation and Development Privacy Framework, European Union Data Protection Directive, The Code of Fair Information Practices, White House Consumer Privacy Bill of Rights, Madrid Privacy Declaration.
The key in this section for me was “Privacy-law scholar Peter Swire writes about the declining half-life of secrets.” The days of government secrets lasting 50 years until they were declassified are gone.
Here is his guidance: use encryption and systems, like Tor, to anonymize yourself. We should look for ways to avoid, block, distort and break surveillance. Institutions need transparency accountability and independent oversight. His call to action: notice it, talk about it, and organize politically.
Schneier does acknowledge the benefits of mass data collection, like steering us away from traffic jams and how hard this issue is to address. What he is asking is that we have a transparent debate about what is socially and legally acceptable.
Conclusion
While Data and Goliath brings to mind the Internet enabling a surveillance state that Stalin wanted or Orwell imagined, it is also a must read to provide you with the background and evidence to make up your own mind. While I didn’t agree with all of the arguments presented, I would not have developed my opinion if I had not been challenged by the ideas in the book.
This book should be read by anyone who has responsibility for the privacy of customer data.
Because October is National Cyber Security Awareness Month, conventional wisdom holds that the US Senate will consider cybersecurity information sharing legislation that was introduced in the spring. The Senate, however, has yet to schedule a formal vote on the Cybersecurity Information Sharing Act (CISA) (S. 754).
The proposed legislation aims to defend against cyberattacks through the creation of a framework for the voluntary sharing of cyberthreat information between private entities and the federal government. Companies may share threat indicators and defensive measures with the government, but they must institute appropriate security controls and remove personal information. Liability protection is available for companies choosing to share information, provided they implement the proper controls.
During his State of the Union address earlier this year, US President Barack Obama urged Congress to pass legislation focused on cybersecurity, including the sharing of information. The US House of Representatives passed two similar bills on information sharing in April: the Protecting Cyber Networks Act (PCNA) (H.R. 1560) and the National Cybersecurity Protection Advancement Act (NCPA) (H.R. 1731). One of the key differences in the House bills is that the NCPA Act only authorizes sharing with the Department of Homeland Security, while the PCNA provides companies the flexibility to choose to share cyber threat indicators or defensive measures with a number of different government agencies.
Before a conference committee can convene and iron out differences between the House and Senate versions, the Senate must act. Media reports that the Senate will likely consider the legislation after they return from a brief recess the second or third week in October, but no firm plans have been announced. According to published media reports, the Senate is working to limit amendments in order to fast-track debate on the proposed legislation.
There is a deep divide on whether the CISA legislation should be passed. Some businesses and industries welcome the information sharing and liability protections the Act would provide. Privacy advocates, however, warn that the Act would put individuals’ private information in the hands of the US government.
Montana Williams Sr. Manager of Cybersecurity Practices, ISACA
Note: Major General John A. Davis (Retired) recently joined Palo Alto Networks as Federal Chief Security Officer. The below is excerpted from an article appearing in Cyber: The Magazine of the Military Cyber Professionals Association. Read the full article here.
I recently retired from active duty after a 35 year career in the U.S. military, the past decade of which has been devoted to the sometimes mysterious cyber world. I’d like to offer some insight into the personal lessons that I’ve learned during my experience in helping to stand up U.S. Cyber Command and while working cyber policies and strategies at the Pentagon. Although I’ve learned many more lessons, the three that I’ve chosen to share in this article are, in my view, especially important for leaders in both the public and private sectors, because we are all becoming increasingly connected through modern information technology. This means we all share in the exploding opportunities as well as the escalating risks. Below are my top three lessons and I will attempt to add more context in subsequent paragraphs to help both government and industry leaders understand why all sectors of society should care about these key points:
Strong teamwork and effective partnerships are essential to cybersecurity success.
The world is changing dramatically and so too must the balance between opportunity and risk in the information technology decision-making environment.
As more nation-state militaries become involved in cyber operations, we must shine more light on what they are doing and why, in order to set accurate expectations and prevent mistakes.
Lesson number one is about a real need for teamwork and effective partnerships. If I had to come up with a motto for this lesson it would be, “Make friends … lots of friends…you’re gonna need them!” If you think you can go it alone in the cybersecurity business, think again. Many different organizations, both public and private, have critical roles and responsibilities in the cybersecurity environment, but no single organization has all the skills, talent, resources, capabilities, capacity or authority to act effectively in isolation. It truly does take a team approach and strong partnerships to operate effectively. However, creating trusted, credible partnerships requires significant dedication of time and energy from the leadership of an organization.
Read John’s full article here.
Learn more about Palo Alto Networks solutions for government here.
