The Government Accountability Office (GAO) released a report outlining key cybersecurity challenges, along with various proposed steps to be taken for risk reduction and management. According to Christian Espinosa, the CEO of Alpine Security, the U.S. government cybersecurity is merely the tip of the iceberg. He said: “The federal government has the funds, scale, and infrastructure to reduce risk considerably. The bigger challenge is smaller firms – especially those that operate in key industries such as healthcare, who underestimate the importance of a proactive cybersecurity strategy”.
Of the 3000 recommendations the GAO made since 2010, it is reported that by 2018, only 1000 of those were implemented. This confirms that the government may not offer the best template to follow – and that private firms should seek custom cybersecurity solutions. An outline of the challenges may sound simple, but when considering that such few recommendations were implemented, and what the consequences of failure can be, there are many chief technology officers and other stakeholders also in private businesses who rightly feel concerned, as is discussed below.
Key cybersecurity challenges outlined by the GAO:
Modelling challenges and solutions faced by government systems onto private companies may not be the best answer, but it provides a good understanding of the strategic thinking involved when addressing cybersecurity. There are four challenges in particular according to the GAO report. The first is to establish a comprehensive cybersecurity strategy, including oversight. The second is to secure federal systems and information. The third, concerns the broader infrastructure that cyber systems depend on, including the electricity grid and telecommunications networks and beyond. Could this be why Mike Pence announced the establishment of a military space force? The fourth is the protection of privacy and sensitive data. These are very general points and do not name specific state actors as external threats or consider internal threats. It is obvious from geopolitical tensions involving governments like China, Russia, companies like Huawei – and broader issues such as information warfare and forced technology transfer, that we are facing peak levels of risk.
Consequences of cybersecurity failure:
Companies, like Alpine Security, make considerable efforts to reduce risk in key industries. They do this by training new recruits for cybersecurity roles, as well as to provide consulting, penetration testing and a range of related solutions. As a supporter of the 2019 Archimedes Medical Device Security 101 Conference, they help organizations understand not only the risks related to cybersecurity, but ways of risk mitigation and management. They explained that one of the key consequences of cybersecurity breaches can be the loss of life. This can happen when medical devices are hacked, but also things like pharmaceutical manufacturing plants and electric vehicles. In the age of self-driving vehicles, where even huge trucks will become autonomous, the consequences to human life can be catastrophic – and disruptive at a large scale. It is therefore understandable why companies pay external contractors to perform penetration testing – and why this has suddenly become one of the best-paid jobs around the world.
Stakeholders in business who are impacted by the challenge:
As the Internet of Things (IoT) and the Internet of Medical Things (IoMT) has spread to all layers of business, organizations are affected in their entirety. Clearly, stakeholders at various levels are impacted: Shareholders and heads of departments are concerned about cybersecurity, drawing up solutions in-house and, in many cases, outsourcing the responsibility to some of the best cybersecurity consulting firms around. HR departments can see that payrates for operatives are skyrocketing as it becomes more difficult to find a qualified workforce, increasing the need for training and development. Finance departments are allocating more substantial budgets to address these challenges adequately.
Smaller private entities will have different needs than government. Indeed, some opt for migration towards cloud solutions that benefit from a scaled cybersecurity strategy, while others invest sufficiently to protect their in-house systems. With such few of the GOA recommendations being implemented, private businesses need to move faster to adopt proactive cybersecurity measures. We now live in a world where cybersecurity risk assessments, penetration testing, training, audits, and incident response should be as normal any key business function.