Start By Doing Your Part
In the meantime, there are some steps private businesses can take to enhance their own cybersecurity and information-sharing efforts. “There are plenty of organizations out there that foster networking among CISOs,” Magnotti says. “The Security Executive Council, (ISC)2, ISSA — those types of organizations allow CISOs to not only get to know each other but to share their mitigation strategies.”
There are also private service companies that provide threat intelligence to their clients, most of whom are very large financial and retail organizations. Crowell, who is associated with one such organization, iSight Partners, says that these companies tend to remove all identifying information from the threat information they discover and then share that information with their entire customer base, creating a sort of paid information-sharing network.
Organizations that are not already sharing threat information through CERT and applicable ISACs should consider doing so and should weigh the potential benefits against the perceived risks.
Businesses large and small should be ready, Payton says. “You want to have a plan that encompasses three critical areas — protect, defend and recover. You want to make sure you have excellent defenses; however, you should also accept that, more than likely, somebody’s going to get in, so you need to have an offensive strategy and a recovery strategy as well.”
And more than anything else, we must not allow the increased media attention on cybersecurity to spur a backlash attitude that says the problem is not really as big as it seems. “This threat is very real,” Crowell says. “Right now a lot of the attacks are what I would call reconnaissance. They could easily do significant damage, and at a critical moment, that damage would have serious effects on our national security and economic situation.”
Marleah Blades is senior editor for the Security Executive Council (SEC). The SEC is a risk mitigation research and services organization for senior security and risk executives from corporations and government agencies. In partnership with its research arm, the Security Leadership Research Institute, the Council is dedicated to developing tools that help lower the cost of security programs. For more info, visit.