In September 2021, Tripwire released its annual report to examine the actions taken by the U.S. federal government to improve cybersecurity. The report also looks at non-government organizations so that we may catch a glimpse of the differing views and approaches of each, which makes for interesting (and revealing) insights.
The results of such surveys are also worthy of examination and discussion, as they are relevant to the United States and offer us an opportunity to examine our attitudes towards cybersecurity. If the UK Government is reading this blog post (‘hello to you!’), I would urge them to look at the lessons we can take from this survey and apply the same critical thinking to our own approach to cybersecurity. This is because there are undoubtedly similar opinions in the UK as there are in the United States. How can I know this for sure? Well, there’s no way of knowing for sure without conducting a survey in the UK, but anecdotally, the areas that the survey highlights are neither revolutionary nor earth-shattering to anyone within the industry.
The UK Government would do well to take on board the messages the survey has to offer. To ignore them could be detrimental to us all.
First, let’s recognize that the only standard that gains any real attention in the report is the National Institute of Standards and Technology (NIST) standard. But it's good to see that although half of the non-governmental organizations have not fully adopted NIST standards, half have. With 31% stating they (somewhat) follow the guidelines, 24% state they strictly follow the standard. Thankfully, only 3% asked, "What is NIST?"
This tells us that security standards are being adopted in organizations (government or non-government), with 66% reporting that NIST is either 'Extremely Valuable' (25%) or 'Very Valuable' (41%). Of course, the value of any standard such as NIST is its widespread adoption. Interestingly, the report says that one of the things the federal government should consider in ensuring the security of data and systems of non-governmental organizations is to enforce NIST standards outside the federal government (39%).
In the UK, Cyber Essentials has been a requirement for any organization working with the UK Government since around 2014. However, times have changed, and although the scheme is still relevant, most cybersecurity professionals are now (finally) recognizing that human behavior is just as important as technical security. Cyber Essentials does not factor in the ‘human firewall,’ while international standards like ISO27001 do. The UK Government would therefore do well to look more closely at this and other standards that require a broader understanding of human behaviors and requirements for certification.
Contrary to what many may think, security standards make the implementation of information security controls easier by providing a framework to follow. Almost like an instruction manual or a map that provides a route to a final destination, NIST gives structure and direction that can be followed.
Ransomware – Or Worse
It is difficult to write about cybersecurity threats without mentioning ransomware, and the report again highlights that ransomware tops the list of security concerns (53%), with vulnerability exploits (35%) and phishing (34%) coming in at a close 2nd and 3rd. Of course, we can only assume, but perhaps those who responded that ransomware is a security concern are those that have NOT adopted NIST. Would confidence be higher if organizations uniformly adopted a structured approach to security? The report breaks down who the concerned parties are, and it is interesting (and worrying?) to see that 83% of critical infrastructure stated they were concerned. That's compared with 60% of non-government bodies and just 28% of the federal government.
I believe this tells us something we have known for a long time: critical infrastructure is complex and urgently needs investment to protect it and us. Worryingly, this hasn't happened uniformly. If we look at the results of the question related to making progress in meeting the requirements of an Executive Order on cybersecurity, 49% have made significant progress, and 50% have made 'some' progress. Again, we can only assume that the lack of confidence of facing ransomware is due to a lack of significant progress by more than 50% of respondents.
Ransomware certainly grabs the leadership team's attention, and the survey highlights that security discussions are dominated by concerns about ransomware (77%). But perhaps more worrying is that 83% of respondents feel that ransomware is bad but expect something worse is coming!
When the virus ‘WannaCry’ hit the UK in 2017, the impact on the NHS was dramatic. According to the report by the report created by the Department of Health (April 2018), WannaCry affected at least 80 out of the 236 trusts across England because they either suffered an infection or turned off their devices or systems as a precaution. A further 603 primary care and other NHS organizations were also infected including 595 GP practices.
Since 2017, it is unclear how much investment has been made in the NHS to improve their cybersecurity or IT capabilities. And we have just experienced one of the most draining periods (on the NHS) that we have ever experienced. The question has to be asked (and answered) by the UK Government. What would a ‘WannaCry 2.0’ attack look like on the NHS following or during a pandemic?
An exciting aspect of the survey is the focus on 'Zero Trust Architecture (ZTA),' with almost all respondents in agreement that zero trust will improve security outcomes (97%). But before continuing, it's worth being clear about what is meant by zero trust.
Zero trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization's network architecture. This involves maintaining strict access controls and not trusting anyone by default, for example – even those already inside the network perimeter. Therefore, everything trying to gain access or make any changes must be verified before it can do anything. Zero trust is not about making a system trusted but instead about eliminating trust. This is a step-change and requires further investment in understanding the underlying architecture and systems.
The report highlights this when 50% state that integrity monitoring is foundational to successfully implementing zero trust and 43% state that it is 'somewhat' important. The question that wasn't asked is as follows: "How confident are you in your integrity monitoring solutions?"
This final question should be broadened and asked of the UK Government – "How confident are you in your integrity (trust) of the UK business community to implement security measures adequately? How confident are you in the national infrastructure to repel any form of attack?"
Conclusion – Gaining Confidence
This highly accessible report should be required reading in the United States but also by the UK Government and our own organizations. We should be considering the lessons that the report has to offer and ask what this means to us. If the answers leave you with gaps, then those are windows of opportunity for cybercriminals to climb through. We need to look at zero trust, standards, and frameworks to help improve our security. And security is about people, process, and technology.
You can follow Gary on Twitter here: @AgenciGary
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.