Have we reached a cybersecurity “turning point”?

This week the Obama Administration officially unveiled a national (and voluntary) “Cybersecurity Framework” that aims to get private industry and government to strengthen the security and resiliency of critical “cyber-infrastructure” in via public-private cooperation.

Fleetowner Com Sites Fleetowner com Files Uploads 2014 02 Obama2

The result of a year-long private-sector led-effort, the “Framework” got touted by President Obama this week as a voluntary “how-to guide” for organizations in what’s being called the “critical infrastructure community” to enhance cybersecurity.

“Cyber threats pose one the gravest national security dangers that the United States faces,” the President explained in a written statement. “While I believe today’s Framework marks a turning point, it’s clear that much more work needs to be done to enhance our cybersecurity. America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet.”

The National Institute of Standards and Technology (NIST) consolidated a year’s worth of private sector input into this voluntary “Framework” broken down into three sections – Core, Profiles, and Tiers – aimed at several distinct groups:

The “Core” is a set of cybersecurity activities and informative references that are common across critical infrastructure sectors. The cybersecurity activities are grouped by five functions – Identify, Protect, Detect, Respond, Recover – that provide a high-level view of an organization’s management of cyber risks.
The “Profiles” can help organizations align their cybersecurity activities with business requirements, risk tolerances, and resources. NIST said companies can use the “Profiles” to understand their current cybersecurity state, support prioritization, and to measure progress towards a target state.
The “Tiers” provide a mechanism for organizations to view their approach and processes for managing cyber risk, NIST noted. The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor in risk management practices, the extent to which cybersecurity risk management is informed by business needs, and its integration into an organization’s overall risk management practices.
Though the adoption of the Framework is voluntary, the Department of Homeland Security (DHS) has established the Critical Infrastructure Cyber Community (C3) Voluntary Program as a public-private partnership to connect companies, federal, state, local, tribal, and territorial partners to DHS and other federal government programs and resources that will assist their efforts in managing their cyber risks.

The “Framework” comes at a good time as many companies both within and without the trucking industry keep struggling with cybersecurity needs.

Fleetowner Com Sites Fleetowner com Files Uploads 2014 02 Prakash Panjwani

Take this recent survey of 600 security and information technology (IT) executives by SafeNet Inc., which found that only one-fifth (21%) are currently doing any encryption work in their virtual environments to protect critical data.

As well as encryption and managing cryptographic keys being technically challenging for IT professionals, the survey results also suggest that businesses do not have the required staffing levels in place to support a consolidation project, SafeNet found, with 60% of respondents saying they had less than five people involved in encryption management globally. In addition, nearly one-third (27.5%) said they had more than 10 business applications that required encryption.

"The adoption of new technologies – such as big data, mobility, and cloud-based services – has pushed data center consolidation to the top of the priority list for many businesses. Yet it is clear that security concerns combined with a lack of resources are hampering the progress of such transformations," noted Prakash Panjwani (seen above), senior vice president and general manager at SafeNet.

"Any shift in infrastructure can be daunting for IT professionals,” he added. “However with data now stored across a hybrid IT landscape – including on-premises, on mobile devices, and in the cloud – security teams need to move away from traditional approaches and adopt new encryption technologies that support today's dynamic data center and service provider environments.”

Yet the need for a wide variety of “cyber defenses” such as data encryption is only going to grow. For instance, in the first Cyberthreat Defense Report compiled by research firm CyberEdge Group, LLC, which surveyed more than 750 security decision makers and practitioners, more than 60% said they’d suffered a cyber “breach” in 2013 with a quarter of all participants citing a lack of employer investment in adequate defenses.

The report, sponsored by Palo Alto Networks and several other information security vendors, offered some other insights about the growing private sector concerns regarding cyber-threats:

Concern for mobile devices: Participants were asked to rate— on a scale of 1 to 5, with 5 being highest—their organization’s ability to defend cyber-threats across nine IT domains. Mobile devices (2.77) received the lowest marks, followed by laptops (2.92) and social media applications (2.93). Virtual servers (3.64) and physical servers (3.63) were deemed most secure.
The BYOD invasion: By 2016, 77% of responding organizations indicate they’ll have bring-your-own-device (BYOD) policies in place, with 31% already having implemented BYOD policies and 26% to follow within 12 months, while another 20% will follow within two years.
Inadequate security investments: Although 89% of respondents’ IT security budgets are rising (48%) or holding steady (41%), one in four doubts whether their employer has invested adequately in cyber-threat defenses.
Improved security or wishful thinking? Although 60% of respondents confessed to being affected by a successful cyber-attack in 2013, only 40% expect to fall victim again in 2014.
Next-gen firewalls on the rise: Out of 19 designated network security technologies, next-generation firewalls (29%) are most commonly cited for future acquisition, followed by network behavior analysis (26%) and big data security analytics (24%).
Malware and phishing causing headaches: Of eight designated categories of cyber-threats, malware and phishing/spear-phishing are top of mind and pose the greatest threat to responding organizations. Denial-of-service (DoS) attacks are of least concern.
Ignorance is bliss: Less than half (48%) of responding organizations conduct full-network active vulnerability scans more frequently than once per quarter, while 21% only conduct them annually.
Dissatisfaction with endpoint defenses: Over half of respondents indicated their intent to evaluate alternative endpoint anti-malware solutions to either augment (34%) or replace (22%) their existing endpoint protection software.
Careless employees are to blame: When asked which factors inhibit IT security organizations from adequately defending cyber-threats, “low security awareness among employees” was most commonly cited, just ahead of “lack of budget.”

The CyberEdge’s survey pool is small (just 750 folks mind you) the issues outline above indicate much work still needs to be done to counteract the growth of cyber-threats to businesses and consumers alike. And while the new “Cybersecurity Framework” offers a good starting point in the ongoing war against hackers, cyber thieves, and other nefarious Internet dwellers, it’s only a start. The next step is getting off the beachhead to make some serious cybersecurity headway.