One of the prevailing themes in cybersecurity news this week seems to be the US government and efforts to defend critical infrastructure against cyber attacks. There is a renewed initiative to identify and proactively address vulnerabilities in airplanes, and the Department of Homeland Security is sounding the alarm over the potential impact of the shortage of skilled cybersecurity professionals on national security.
Let’s dig in:
Heightened Focus on Aircraft Cybersecurity
Modern aircraft—both commercial and military—depend on a vast array of complex computer systems to get safely from Point A to Point B. Aircraft are also a prime target for nation state and terrorist attacks—which is why the US government confirmed plans to step up efforts to test airline vulnerability to hacking.
Increased availability of in-flight Wi-Fi networks and connected entertainment systems may provide a means for accessing and compromising other aircraft systems. Many of the aircraft used by the military are also just modified versions of commercial aircraft and may be subject to the same vulnerabilities and weaknesses. At the Black Hat conference in August, researchers from IOActive revealed details of vulnerabilities discovered in the Boeing 787.
No Company Is Too Small for a Cyber Attack
I read an article recently from CFO.com that summed up 6 common cybersecurity myths. It is good information and I recommend you read the whole thing, but one misconception that stood out to me is the idea that a company or individual’s data isn’t that valuable. I frequently hear people say that they have nothing worth targeting, or nothing of value worth protecting—as an excuse for not doing enough or following cybersecurity best practices.
The reality is that all data is valuable. You can also substitute all systems. Many attacks are automated and do not discriminate based on the size or perceived value of the target. They simply look for vulnerable devices to exploit. Once a system is compromised, it can be used as a foothold to spread to other systems across the network. Although it is frowned upon, many people still re-use usernames and passwords across different systems and applications, so in many cases attackers can use information obtained from one system to gain access to another even if it isn’t directly connected.
The bottom line is that no company is too small for a cyber attack. In fact, small and medium businesses are generally better targets because there are exponentially more of them and they tend to have lower budgets and fewer cybersecurity resources to effectively detect and respond to threats.
Cybersecurity Skills Gap a Threat to National Security
Organizations of all sizes across both the private and public sector are under relatively constant siege from cyber attacks. Beyond the run-of-the-mill malware and automated attacks circulating on the internet, though, cyber attacks are also the new frontier when it comes to nation states seeking to infiltrate adversaries in order to gather intelligence—or possibly disrupt normal operations or inflict harm in some way.
Faced with this pervasive threat, the current shortage of cybersecurity professionals with the right skills and experience to help defend against those threats is even more critical. Jeanette Manfra, assistant director for cybersecurity for Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) recently told an audience at TechCrunch Disrupt SF that the cybersecurity skills gap is becoming a national security risk.
Manfra declared, “It’s a national security risk that we don’t have the talent regardless of whether it’s in the government or the private sector. We have a massive shortage that is expected that will grow larger.”
Organizations need to address the cybersecurity concerns, but it may not be practical—or advisable—for every company to try and address the issue of cybersecurity directly. Managed security services providers already have dedicated cybersecurity professionals with the necessary skills and can generally do a better job at a lower cost.
You should also read: