Assess your defense before a cyberattack

I am sure this is not a shock to most of you, but our current approach to cybersecurity is not working. When an information security icon such as RSA experiences a serious security breach like the one acknowledged recently, what does it say about the average organization and its ability to protect its information assets?

While I was teaching a course on cyber terrorism this month for emergency services organizations, an interesting conversation took place. During the program, three serious security issues came out during a cyberattack scenario exercise. I am not able to divulge those issues for security reasons. Let me say, though, that the magnitude of risk that accompanied these issues was cause for great concern.

Why all of our emergency services, identified as a component of our critical infrastructure, have not conducted cyberattack planning and review is beyond comprehension. This is particularly true given warnings that a cyberattack on our emergency response infrastructure and assets is likely to accompany an act of terrorism.

Some of the information systems used by emergency services are no longer supported and need to be replaced. For those emergency assets that are already in place and still supported, we need to identify areas of vulnerability and address those shortcomings before it is too late. When we plan and develop our operating procedures, critical systems and infrastructure, we need to look at the security issues that may focus on those essential capabilities. It is easier and more economical to build security in rather than trying to address security as an afterthought. Why is that so hard for us to do?

As the saying goes, an ounce of prevention is worth a pound of cure.