Many U.S. mid-cap companies are struggling to defend themselves against cyber attacks, begging the question of what is the appropriate role the federal government should play in getting the private sector cyber ready, according to Michael Balboni, president of RedLand Strategies, Inc., a business development and government relations firm.
Approximately 80 percent of U.S. cyber assets are held by private entities, but “they do not have the type of capability, bandwidth, interest or experience to develop a proactive cyber analysis,” Balboni, who is also a former New York State Deputy Secretary for Public Safety, told Homeland Preparedness News in a recent interview. “The main point is to get companies engaged through an awareness campaign, socialization, best practices and a toolbox approach.”
Various federal agencies have developed cybersecurity guidance for companies, and the National Institute of Standards and Technology offers voluntary guidelines in its Cybersecurity Framework to reduce cyber risks. Still, many companies have neglected to make cybersecurity a part of their daily agenda.
“It’s not just having a chief information security officer or doing the penetration tests, but actually doing the monitoring that is enterprise-wide and environmental,” Balboni said. Penetration tests test a computer system to expose its vulnerabilities to a cyberattack.
The state of active defense, or security measures that go beyond passive defenses such as firewalls, among private companies is really hit or miss, Balboni said. Companies that have been hacked in the past are very aware of the risk, but others, not so much.
“Training, monitoring, detecting, the utilization of the core functions of your company and being able to expand out in concentric circles with various degrees of oversight is something that doesn’t happen with one check of the box,” Balboni said. “So to ask a company to stop and go through all your cyber practices, your cyber vulnerabilities and your cyber assets, it’s literally like asking them to change a tire on a car when it’s moving.”
Not only do companies need to be concerned with their own cyber security, they need to ensure their vendors are cyber secure as well.
Balboni serves on the board of directors of George Washington University’s Center for Cyber and Homeland Security (CCHS). The center has created a task force that is examining the issue of active defense by the private sector and is expected to release a report later this year.
One of the greatest threats to companies’ cyber security is ransomware, Balboni said. Ransomware is malware that is embedded in a computer system that shuts down access to files, requiring a victim to pay a ransom to regain access to the files.
Law firms have been especially hard hit by ransomware. These firms may or may not have taken their most sensitive information and downloaded it to a stand-alone computer or put it on a drive that is inaccessible, Balboni added. This type of attack potentially has national defense implications as well, depending on the sensitive nature of the information.