The mantra is old, grant you, but worth repeating since its obvious from the amount of cybersecurity breaches that not everyone is listening.
Speaking at the Georgetown Cybersecurity Law Institute this week, Deputy Attorney General of the United States James Cole said there are a ton of things companies can do to help government and vice-versa, combat cyber threats through better prevention, preparedness, and incidence response.
[IN THE NEWS: No humor zone: 33 things you should never say to a TSA agent]
"Some of this may seem quite basic to many of you, but it doesn't hurt to hear it again. Unless we work together, we will not be able to address the cyber threat successfully," Cole said.
In a nutshell here are eight key areas Cole said companies should pay close attention to:
Prevention: Companies should put best practices and technologies in place. For example, each company needs a strong system of network firewalls. You, of course, need an external firewall. This will serve to protect you from the hacker trying to get inside. But that's not enough. No matter how strong your external firewall is, the likelihood is that a hacker will inevitably break inside. So you also need internal firewalls. These should wall off different departments or divisions in your company from each other. And those areas that contain your company's most sensitive and valuable information should have particularly robust protections. This way, even if a hacker gets onto your network, he doesn't get very far. Or, at least, he doesn't get to your company's most sensitive information.
Education: Companies need to educate their employees on intrusion techniques such as spear-phishing or redirecting websites - the scams that use a combination of email and bogus websites to trick victims into clicking on website links or opening attachments. It only takes the carelessness of one employee to let a hacker into your network. So companies need to train their employees to recognize and avoid these kinds of scams.
Passwords: The strongest password system has multiple layers, and yes, I know it is a pain, but it is so much less of a pain than losing all your data, your trade secrets, or your financial information. This may require the user not only to type in a number of different passwords, but also to send images or even to do a form of biometrics. You should consider using all of these to protect your core, most sensitive network areas.
Share: You're going to need up to date information on what cyber threats are out there and what they look like. Participating in information sharing platforms like InfraGard can help you in this regard. InfraGard is an FBI-sponsored initiative that brings together representatives from the private and public sectors to help protect our nation's critical infrastructure from attacks by terrorists and criminals. Members have access to FBI secure communications network featuring an encrypted website, web mail, list serves, and message boards. FBI uses the InfraGard website to disseminate threat alerts and advisories. InfraGard also sends out intelligence products from the FBI and other agencies.
Beyond InfraGard, you can access other information sharing organizations like the Information Sharing and Analysis Centers - ISACs. ISACs are trusted groups established by critical infrastructure owners and operators. There are different ISACs for different sectors and areas of expertise. Members of ISACs share information with each other and maintain contacts with the government to share and receive cyber threat information. Services provided by ISACs include risk mitigation, incidence response, and information sharing. Depending on the ISAC, you may have access to a 24/7 security operations center, briefings, and white papers.
Government too: What can the Government do to help with prevention? Well, for starters, we can share actionable information with you. We have collected and shared hundreds of thousands of indicators of malicious activity with the private sector and over a hundred nations. And this is just in the past six months. These indicators include information like IP addresses associated with malicious activity.
You may have also heard about ECS - the Enhanced Cybersecurity Services program. This is a program that has been available to the U.S. defense industrial base. The Department of Homeland Security has been working with cybersecurity organizations from across the federal government to gain access to a broad range of sensitive and classified cyber threat information. DHS provides that information to qualified service providers to help them counter known malicious cyber activity.
Standards: The National Institutes of Standards and Technology - NIST - has the responsibility, along with the private sector, to develop a framework of baseline standards for cybersecurity. The Framework's purpose is to assist owners and operators of critical infrastructure to identify and manage risks posed from cyber threats. Once the Framework is established, DHS will establish a voluntary program to support adoption of the Framework. While the Framework is directly applicable to critical infrastructure members, there is nothing that prevents all companies from adopting the framework as part of their cyber program.
Advance prep: Even a well-defended organization will inevitably experience a cyber incidence at some point. Therefore, your company has got to have a strong and comprehensive plan for responding to a cyber incident. Determine what kinds of filters to employ in the face of a DDOS attack, how to implement mechanisms to shut down access to important sectors of your computer systems, procedures to change passwords and access controls, and provisions to preserve all your critical data to ensure continuity of your company's operation if your data has been destroyed. And importantly, mechanisms to notify customers or employees if PII has been stolen.
Financial obligation: Finally, think about your cyber protection program from the perspective of your shareholders. The SEC has issued specific guidance regarding disclosure obligations relating to cybersecurity risks and cyber incidents. The guidance, which was issued in 2011, makes clear that there are particular obligations that apply before, during, and after a cyber incident. But you should think about your disclosure obligations beyond just particular cyber incidents. If you had to explain to your shareholders how you are going about protecting the most valuable trade secrets of your company, or its financial information, or its critical operations, or the personally identifiable information of your customers or employees, what would you want that explanation to look like? What kind of impression would you want the investing public to have about your dedication to cyber protection.
Check out these other hot stories: