Cyber security professionals underestimate vulnerabilities until hit

U.S. will experience a future critical infrastructure attack

“Unlike a plumber or an electrician (who) can often start a career with a set amount of training to be competent on the job and learn the finer points as they go, sadly, IT security is an ever-evolving industry–yet clients expect immediate results for rapidly emerging, complex problems.”

Mark James, security specialist with ESET, as quoted by Infosecurity

Is your IT team proactively protecting your digital infrastructure?

With constant news of private and public security breaches, you’d think that cyber security specialists would be proactively researching emerging threats and patching potential system vulnerabilities. Unfortunately, this is not necessarily the case. In the recent the McAfee, Aspen Institute and Intel Critical Infrastructure Readiness Report over 70% of security professionals said they were “confident or extremely confident in their team’s ability to identify intrusions and deal with attacks.”

By contrast, those who had already experienced one or more attacks reported lower confidence about dealing with future incursions. Because many of the best-protected sites have already been breached, it seems likely that IT professional confidence in current security technology will erode over time.

Most concerning is a second statistic–that 48% of the same security professionals in that survey also believe the U.S. will experience a future critical infrastructure attack “with potential loss of life.” Yet, amazingly, they’re confident that their organizations are secure.

Is your IT budget and staffing adequate?

In another 2015 survey for a comparable number of (Black Hat Attendee) security professionals, results revealed a greater degree of   realism. Only 27% of this group believed their group could handle an attack, with the vast majority pointing to inadequate budget and  staffing as the reason. Consequently, over 70% in this survey group reported that they expected a damaging security breach sometime within the next year

Will pending CISA federal cyber security legislation improve security?

You may have heard about the Cybersecurity Information Sharing Act (CISA), designed to increase the exchange of emerging cyber threats between the public and private sectors. This legislation may move to the Senate floor soon if its bi partisan supporters (including Senate Majority Leader Mitch McConnell and Minority Leader Harry Reid), and private sector allies, including the Software Alliance (Adobe, Apple, IBM and Microsoft) gain enough momentum. Most significantly, the White House has indicated it would support CISA with some minor changes.
President Obama threatened to veto a similar measure several years ago, killing it. CISA has many opponents, including privacy critics who argue that CISA would encourage companies to collect more private data that would then be shared with the NSA and other government agencies. Those opposed include WordPress, Craigslist, Duck Duck Go, Entertainment Consumers Association, Mozilla, Reddit, ServInt, and TorServers. Final amendments have not yet been made public, so any genuine threats to public privacy remain to be seen. Stay tuned… In my next blog, I’ll explore new ‘Cloud’ security developments that have made it less vulnerable to attack than was the case just a few years ago.