By Chuck Brooks, President of Brooks Consulting International
A new bipartisan legislation, the Cybersecurity Awareness Act, would require the Cybersecurity and Infrastructure Security Agency to launch a public-private campaign that would promote access to cybersecurity resources and expand outreach to small businesses and underserved communities on how to better defend against cyber attacks.
The Bill, S. 1835, was introduced by Senator Gary Peters, D-MI, and Senator Bill Cassidy, R-LA, and referred out of committee. It succinctly states that its purpose is to “require the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security to develop a campaign program to raise awareness regarding the importance of cybersecurity in the United States.”
CISA has long promoted cybersecurity awareness and, in conjunction with the National Cybersecurity Alliance, already leads “a collaborative effort between government and industry to raise cybersecurity awareness nationally and internationally.”
Last year, CISA, under the leadership of Wash100 Award winner Jen Easterly, created the Joint Cyber Defense Collaborative to fundamentally transform how cyber risk is reduced through continuous operational collaboration between government and trusted industry partners. “The Cybersecurity and Infrastructure Security Agency established JCDC—the Joint Cyber Defense Collaborative—to unify cyber defenders from organizations worldwide. This diverse team proactively gathers, analyzes, and shares actionable cyber risk information to enable synchronized, holistic cybersecurity planning, cyber defense, and response,” CISA’s website reads.
JCDC is a great program, as is CISA’s new CyberSentry program, a managed threat detection and monitoring capability, governed by an agreement between CISA and voluntarily-participating critical infrastructure partners who operate significant systems supporting National Critical Functions.
Protecting critical infrastructure is certainly a top national security priority, but the Cybersecurity Awareness Act’s focus is also important and fills a gap to protect small businesses and marginalized communities who are also at risk.
Why cybersecurity awareness is an imperative
In our current digital environment, every company and organization, large or small, is a reachable target of criminal hackers. Moreover, they all have operations, brand, reputation and revenue pipelines that are potentially at risk from a breach.
The 2021 World Economic Forum Global Risks Report sums up our cyber predicament: “Business, government, and household cybersecurity infrastructure and/or measures are outstripped or rendered obsolete by increasingly sophisticated and frequent cyber-crimes, resulting in economic disruption, financial loss, geopolitical tensions and/ or social instability.“
Cyber attacks on all businesses, but particularly small-to-medium-sized businesses, are becoming more frequent, targeted and complex. According to the recent Accenture Cost of Cybercrime study, 43 percent of cyber attacks are aimed at small businesses, but only 14 percent of those organizations are prepared to defend themselves.
Cyber criminals are using machine learning techniques to discover vulnerabilities on their targets and to automate their own attacks, with increasing success. They often share tools available on the Dark Web and hacker attacks are now faster, more calculating, and more lethal. The threat actors are many and varied and include nation states, criminal enterprises and hacktivists.
Success for hackers does not always depend on using the newest and most sophisticated malware. It is easy for a criminal hacker to execute their attack. In most cases, they rely on the most opportune target of vulnerability, especially with the ease of online attacks. It is also an exceedingly difficult challenge to keep up with the increasing sophistication of socially engineered threats and threat actors.
In the past few years, the employment of ransomware has become a method of cyber-attack choice by hackers. This is because many networks (especially hospitals, utilities, universities and small businesses) are comprised of different systems, devices and often lack required patching and updating necessary to thwart attacks. It is also due to the fact that criminal hackers can get paid in cryptocurrencies that are difficult to trace.