The cyber security threats are increasing and the solution either isn’t known or very poorly communicated to those who can actually make a difference. The later is my assumption and the topic of this article.
No matter how many resources the authorities have, no matter how technologically advanced they are, if the focus is wrong, the problem will only get worse. Worse because there will be massive amounts of money and time spent without a solution and the problem will simply grow as it would otherwise.
I don’t assume to know the true agenda of the authorities with responsibility except to say that whatever they are, they include defence.
There are thousands of servers, workstations and IoT devices exisiting in businesses and homes which are designed to provide a service to someone or something. The numbers of these systems are increasing. The services that these systems provide are not usually primarily to enhance security. Firewalls, proxies and the like are exceptions and in the minority. The vast majority of these systems are phones, laptops, workstations, servers and increasingly IoT devices.
These systems are connected to the Internet and broadly speaking have common vulnerabilities. For example, my phone can be infected with a virus just like my workstations. My Smart TV can become part of a bot-net just like a server. These devices are a threat vector to bigger targets – an avenue exploitable by an attacker to achieve their goal. This important point needs to be understood by those responsible to provide the solution. Given the large number of systems deployed in the public, and that we expect that number to grow rapidly, one could reasonably conclude the threat vectors will increase at a growing rate.
The focus of attention must be on the small and many. It is the personal devices, the small business computers and the IoT devices that need attention. It is not sensible to expect any agency or authority to assess these systems and nor should they. It must be the responsibility of those that actually design, build and implement these systems that manage their security impact.
The solution is to ensure a minimum standard based on security fundamentals. Enough to prevent the vast majority of threats and make the lives harder for an attacker. If the attackers need to spend more time on achieving their goals, they will achieve less and the size of the problem will be reduced.
Consider the effect of keeping a scammer talking on the phone for as long as you can. While they’re talking to you, they aren’t talking to someone else who’s more vulnerable to the attack.
It must be the responsibility of the general IT service provider to ensure a minimum standard of work in regards to security for small businesses and home users. It must be the responsibility of manufacturers to develop secure IoT devices. Consider it a voluntary standard of compliance. A standard of compliance recognisable to the general public.
I’m not suggesting to outline what a minimum standard would look like as it should be done through industry discussions. A significant ongoing process must ensure the minimum standard is in the minds of the public. It is not important that the standard is know in detail by the general public but that its existence is known. I don’t know what it means to be a CPA accredited accountant but i know it is significant and i know to ask for it. When the general public know to ask the question “Are you a ‘General Security Standard’ accredited IT service provider?”, then we’ll see an improved security baseline across the country.