My three favorite snippets from the article below:
- “With the Internet of Things every company becomes a technology company, and every company becomes a security company.”
- “When you acquire a company, you inherit all of that company’s cybersins.”
- “There’s no one forcing companies to patch vulnerabilities to protect their users”
Article by Kashmir Hill in Forbes.
Emphasis in red added by me.
Brian Wood, VP Marketing
10 Ways To ‘Fix’ Cybersecurity
Security reporter Byron Acohido and I asked ten cyber-experts to offer up their best ideas for stemming the threats we face when it comes to digital security. Note: Almost every one of them muttered something about there being no silver bullets.
Brian Krebs, Investigative reporter and author of the upcoming book Spam Nation: “Being safe and secure online fundamentally requires a mindset shift. I’d like to see more Internet users place far less reliance on automated tools for security and take a defensive posture that begins with an appreciation that everything can be hacked but that bad guys are mostly after information of value that isn’t adequately protected. This means educating oneself about the limitations of security tools and taking proactive steps to shore up these defenses.”
Scott Charney, Corporate VP-Trustworthy Computing Group at Microsoft: “In the world of cloud services and big data, people expect that companies will be responsible stewards of that data. Indeed, having trust in a provider will ultimately determine if people are willing to use connected products and services. Because of this, companies must be transparent about how they handle data, ensure they have robust corporate programs to protect privacy and ultimately be accountable for their actions.”
Chris Young, SVP-Security Business Group at Cisco: “Each connection in the Internet of Things brings new risks that challenge defenders to provide enhanced levels of protection. This requires a threat-centric approach to security, with solutions that work together, collecting and sharing intelligence, with a coordinated focus on threats. This is the only way to protect what matters most. With the Internet of Things every company becomes a technology company, and every company becomes a security company.”
Chad Sweet, CEO of security and risk advisory firm The Chertoff Group: “Corporate America rarely grows 100% organically anymore. M&A is almost always involved. Increasingly when you acquire a company, you inherit all of that company’s cybersins. If their systems are infected or breached, you’re infected. In the same way a financial audit is done to make sure the books aren’t cooked, there needs to be a cyberaudit to give stakeholders confidence that the key, valued intellectual property they are purchasing for future revenue has not been compromised.”
Edith Ramirez, Chairwoman at the Federal Trade Commission: “Businesses should encrypt sensitive data. Encryption, properly implemented, is becoming more important. That applies to sensitive information across the board. Online security for children’s information is of particular concern. The Children’s Online Privacy Protection Act gives parents the right to control the collection of personal information from their kids. If parents okay the collection, the website or app must provide reasonable security for the information, or risk a fine from the FTC.”
Heather Adkins, Manager of Information Security at Google: “For the last 20 years we’ve been playing catch-up to fix operating systems that were designed in the 60s and 70s. We need to rethink that from the ground up. For instance, instead of running lots of different programs and apps, we should have users work with a single interface, like a browser, through which they can do multiple things. That will keep the attack surface smaller: If you have a big castle, it’s hard to defend, but if you have a smaller castle, it’s easier.”
Daniel Suarez, Sci-fi writer, author of Daemon and Influx: “The Internet wasn’t intended to be a secure network, yet it’s been pressed into service for online banking, stock trading, industrial process control systems and more. What we need is an Apollo-like national project to build a new, secure network for critical infrastructure that would use a separate protocol, proprietary hardware, dedicated fiber-optic lines and powerful encryption to eliminate all but the most elite interlopers. This wouldn’t replace the Internet; it would only be used where identity and trust are critical.”
Peter Singer, Coauthor of Cybersecurity and Cyberwar: What Everyone Needs to Know: “The most important thing we can do is shift our human incentives, organizations and mentality away from the aura of fear and ignorance that surround too much of cybersecurity now to working toward something more effective: resilience. Defense and deterrence can only go so far. As long as we use the Internet, we will always face risk. The key is how we can power through these threats and bounce back quickly. ‘Keep calm and carry on’ should be the mantra for the systems we use and for our psyche.”
Christopher Soghoian, Principal technologist at the ACLU: “For all the talk in Washington of the importance of cybersecurity, there is no agency in the government that is directly responsible for consumer cybersecurity and making sure regular Americans are secure. There’s no one forcing companies to patch vulnerabilities to protect their users. That means we’re all running out-of-date software and that companies are storing far too much of our sensitive data in insecure ways. We need a powerful privacy and data-security regulator that can set data security rules for companies and enforce them.”
Joe Sullivan, Chief security officer at Facebook: “When core Internet technologies are well-maintained, the Internet works. When they fail, the best-laid security plans collapse. If we’re going to prevent future Heartbleeds, we need security infrastructure to keep up with billions more people coming online. As an industry, let’s invest in technologies that secure mobile networks, data-center traffic, and the websites and apps people access every day. We have to make it easier for future developers from anywhere to choose secure options from the start.”