Cyber Security Starts With You – Analysis of the 2016 National Preparedness Report
Written by: Jack Healey, CPA/CFF, CFE – Managing Director Business Crisis Practice, Firestorm
The 2016 National Preparedness Report (The Report) identified 32 core capabilities that a resilient nation must master in order to be prepared for disaster. The Report listed Cyber Security and Supply Chain among four capabilities which need to be improved. Given the pervasive reliance on Cyber Security to protect our Nations’ defense, infrastructure, healthcare, banking, transportation, power grid, commerce and communications, it’s hard to believe we are secure as long as Cyber Security remains deficient.
Cybersecurity was listed as fifth in importance, but LAST in proficiency.
The Report measured Prevention, Protection, Mitigation, Response and Recovery across 32 dimensions. The study placed Cyber Security solely in the Protection quadrant, focusing on mitigation, response and recovery as the physical devastation caused by a Cyber Security Incident. It stated a goal: “Expanding the Nation’s resilience to cybersecurity risks by increasing the availability of cybersecurity training and resources and increasing information sharing between the Federal Government and the private sector.” As you read through the report however, it recognizes the pervasive impact that cyber security has on Supply Chain and other ‘core capabilities.’ The Report offers no concrete steps or details regarding the type of training, who will participate in training, who will conduct the training and who will pay for it.
The report acknowledges the largest breach in 2015, which came at the hands of the U.S. Government Office of Personnel Management. During this breach, 80 million government workers had their files hacked, most likely by unfriendly National States. This one breach compromised our security more than any other espionage act of the past 50 years; identifying to our enemies the deep background of government employees and leaving them susceptible to identification and blackmail.
While reading the Report, in its 106-page entirety, I found it difficult at times to look past the political overtones. While the report touted our fight against global warming, and the goal to have government ID cards issued to all federal employee contractors and employees, it superficially referenced programs and initiatives at the State and Local levels.
It referenced too, the Department of Homeland Security’s acknowledgement of the Presidential Executive Order to vaguely ‘do better,’ and to my eyes, strained to connect global warming to all weather related disasters. There appears to be an acknowledgement that Cyber Security is a real threat to the Unites States, but The Report fails to provide cogent steps at a National level to address this risk.
The report said of the 34 core capabilities, that three “demonstrated acceptable levels of performance, but face performance declines if not maintained to address emerging challenges.” The capabilities include: Public Health, Healthcare and Emergency Medical Services; and Risk and Disaster Resilience Assessment. One must ponder how, if Cyber Security is deficient, are these core capabilities safe?
The report offered no practical advice, but stated that government programs were the solution.
I could not disagree more. Cyber Security starts with each of us.
The simple, every day steps:
- Strong passwords: Is it possible that Mark Zuckerberg, creator of Facebook, used ‘dadada’ as his password? 13-15 character, alpha numeric, capital and lower case, symbols are a start. Change those passwords at least monthly. There are easy tricks to use that don’t involve your children/pets name, social security number, street address or cell phone number.
- Update your virus and firewall software automatically: I received a call from a doctor who had ransomware on his computers. He did not have virus software on any of his computers but one, because ‘they’re not connected to the internet.’ All computers need up-to-date virus and firewall software.
- If you have it on your computer, update it. If you don’t use it, delete it: Have you noticed that Adobe sends you so many updates? Adobe Video Player is prone to hacks. If you don’t use it, delete it. Any software you don’t use should be deleted. If you use it, make certain you update it.
- If you don’t recognize the sender or it seems unusual don’t open it! According to PhishMe, in October 2015, only 7 percent of emails carried ransomware. In March of 2016, it was 93 percent! If you don’t know who the sender is, or it’s unusual, don’t open the attachment.
- Be careful what you post on social media: It’s easier for the hackers to target you and your family. A ‘Happy birthday to Mom’ on Facebook, your mother’s maiden name and a picture of your clean car, license plate or home address (included in metatag on picture) are easy examples of what information hackers use.
- Businesses need a Cyber Incident Response Plan: Cyber Security is not an IT responsibility, it is a business responsibility. A well-constructed CIRP includes a cross functional business team with roles and responsibilities, an activation matrix, identification of third parties, training of associates, communication plans, message mapping, testing of your plan and documentation and hot wash post-incident protocols.
In short, Cyber Security will not be solved by this report. The U.S. Government needs to secure its own databases (IRS, Healthcare.Gov, OMP) and take the lead from the private sector on this issue. We are not prepared, and this report offered no additional insights as to how we will become prepared. It starts with you.