What can the military teach us about cybersecurity?
Teaching the workforce to create a heightened state of awareness.
It’s time for the business world to toughen up on security. The threat from cybercriminals is pervasive. Successful attacks on financial institutions, large retailers, and even government bodies, are all too common.
There’s a reason that the Worldwide Threat Assessment of the US Intelligence Community report, released in February this year, put Cyber at the head of the list of global threats. But the targets are not always military, as the report explains, “A growing number of computer forensic studies by industry experts strongly suggest that several nations—including Iran and North Korea—have undertaken offensive cyber operations against private sector targets to support their economic and foreign policy objectives, at times concurrent with political crises.”
Linda Musthaler’s excellent recent article asked, Is it time to adopt a military-style approach to cybersecurity?The answer is yes. The military and the NSA are in the vanguard of the cybersecurity industry. They have developed some extremely effective methods to protect the country. We can adopt some of these methods to protect our businesses from hackers.
An ongoing war
If you want to find the right approach to vulnerability management, then you can start by adopting the right mindset. Security is not something to be ticked off a list. You can’t implement a policy and then forget about it.
Mike Walls , a retired U.S. Navy Commander now running cybersecurity firm EdgeWave, told Musthaler, “we need to monitor, we need to assess, we need to get data and analyze the data and feed the results of that analysis back into our systems and our processes as soon as possible. It is more of a military warfighting process.”
This attitude is reflected in the aforementioned U.S. Intelligence report, “the cyber threat cannot be eliminated; rather, cyber risk must be managed.”
New lines and methods of attack are being developed every day. The enemy is not necessarily the small time criminal you’re picturing. Cyber attacks backed by hostile nation states are well-funded and well-organized. You need a defensive policy to cater for a resourceful and skillful adversary.
Developing a solution that fits
Every solid security plan starts with a thorough evaluation. Whether you have server misconfigurations or mobile app vulnerabilities, the first step is to identify thm. There’s no substitute for an in-depth look at your organization and your networks. We’re not just talking about penetration testing here, you need to consider internal threats and lateral vulnerabilities as well. The military and NSA employ people who can think like the enemy to gain an insight into likely lines of attack.
The next stage is to formulate a plan that protects the key components of your business, but it’s worthless without education and enforcement. In rigid organizations with a strong disciplinary tradition like the military, it may be easier to set out policy rules. In business it’s important to set aside time and resources for educating your staff. There should also be some understanding of the potential consequences of a breach.
Enforcement requires a dedicated security professional working on cybersecurity 24/7/365. You can’t set up software systems and ask IT to monitor them when the security consultants pull out. The intelligence approach used by the NSA prizes human intuition and vigilance. But it takes expertise to spot threats and interpret the incoming security data correctly.
The battle isn’t won
Because there’s no end point with cyber security, you need a process in place that continually assesses and reassesses your security systems. Make sure that whoever you task with cybersecurity has the knowledge and the tools to do the job. But it’s important to remember that having a security expert on board is no silver bullet. That expertise should be shared with the rest of the workforce to create a state of awareness.
The strength of military organizations comes from their ability to pull together in the same direction. Create a culture of awareness in your company. Teach your workforce to be mindful of what they’re doing and how breaches happen. With the right foundation, any security strategy you develop and employ will be that much more effective.
This article was originally published in Network World.
Image credit Cutcaster