The Politics of Cybersecurity

Are our governments prepared?

The State of Mississippi completed its first governmentwide cybersecurity audit this month. The results were less than encouraging.
To begin with, the October 1st report, released by State Auditor Shad White, reveals that of the 125 state entities that were asked to fill out the survey, nearly half failed to do even that. Of those who did complete the survey, White found that 11 have no documented plan for responding to cyberattacks. Furthermore, 22 entities reported that they failed to comply with the state requirement to undergo an external vulnerability assessment at least once every three years. Perhaps the most disappointing finding was that 38 of the responding entities admitted that they don't encrypt sensitive information related to health records, taxes or student records.

As White's office concluded: "Many state entities are operating like state and federal cyber security laws do not apply to them. Mississippians deserve to know their tax, income, health, or student information that resides on state government servers will not be hacked."

Unfortunately, however, Mississippi is far from alone. In June 2019 alone, two Florida cities paid out over $1 million in ransom to regain control over their systems. For those who instead choose to fight the hackers, the results can be even more dire: the city of Baltimore has already spent $18 million in the last few months instead of bowing to a $60,000 ransom. And the list goes on.

So, what's the solution?

Turning back to the White Report, it's clear that the State is taking cybersecurity seriously by (1) establishing a statewide security program, (2) giving the Department of Information Technology Services control over the program's direction, and (3) appointing a statewide auditor to track and promote compliance. The problem, rather, is not in the planning, but in the implementation. It's easy enough to make security decisions from the top-down, but unless a broad consensus and commitment grows within the various organizations, there is very little that an oversight committee can actually achieve.

Accordingly, any security strategy must create a dynamic of shared responsibility at its core if it is to be at all effective. This means introducing training workshops, awareness programs, and top-down messaging that shows employees that your organization takes cybersecurity seriously.

Information security cannot be contained in a set of regulations or handed off to a security department. To be effective, it must lead to a complete transformation in organizational priorities and culture.

This is why Silent Breach focuses on helping our clients undergo a holistic security transformation, rather than simply providing silver bullet solutions. For example, our Continuous Monitoring solution, Quantum Armor, provides clients with near real-time insight into their security posture, all with 360 degrees of transparency.

Remember, corner office marketing execs and lobby receptionists are just as responsible for protecting company data as are the cubicle-dwelling IT technicians. They each have a job to perform, each in their own way. Cyber security is only secure when it's everyone's responsibility.

About Silent Breach: Silent Breach is an award-winning provider of cyber security services. Our global team provides cutting-edge insights and expertise across the Data Center, Enterprise, SME, Retail, Government, Finance, Education, Automotive, Hospitality, Healthcare and IoT industries.