Federal Government Needs a Digital “Smokey the Bear”

The conclusion of  The July 2014 Insurance Industry Working Session:

smokeythebear  from the USDA.gov page

Ok, I admit  the conference did not talk about Smokey the Bear for cyberspace  very much if at all.

Specifically:

“The Federal government may be in the best position to drive awareness and education about cyber risk and, by extension, ERM”
How did I come this document today? Well, I was listening/reading power point slides to the Rapid7 Cyber Security Awareness Panel(requires registration):  “Taking it to the C-Level and beyond”.
The arguments/statements are based on the following:
1. Why does security matter?
  The technical skills of bad guys are lower now than before, as they do not need to be as good to get into the hacking business. This  trend is to get lower and lower technical skills. The payoff is increasing, and the trend is to get higher.
it seems that the Internet has also enabled the bad guys to create internetworks of Cyber criminals and enabled the bad guys to get better every day.
2. Good detection and response is critical
3. Compliance does not equal security
Keeping control of your sensitive data is paramount, only keep the data you need, reduce liability, and save time and money.
Security is having a proper Security Policy which helps drive the corporate culture and user education. A mobile workforce that adds their own devices (BYOD) increases risks. The security policy can drive corporate culture in a good way if done right.
Also keep in mind that vulnerabilities will happen, humans are developing software and mistakes will happen. As we all know the second Tuesday of the month is “patch Tuesday”  as instituted by Microsoft. Microsoft evolved into this Patch Tuesday, as there were many patches coming out after 2000, and hey noticed that more products needed patching, so the constant patching was helped with a sort of “regular” release schedule.  As Microsoft went to the monthly patch schedule, the rest of hte industry also started releasing patches on a similar timescale.
One interesting tidbit from the Rapid7 slide webinar was that some executives may not know that they could be personally liable for cyber security breaches.
Thus after the C-level discussion it was apparent that where the Cyber security industry is heading where cyber insurance is driving how much one should invest into cyber security. It is interesting to note that Cyber risk assessments were not discussed. Only that cyber insurance will drive the industry.
So then I found a July 2014 Cyber insurance discussion by Homeland Security (DHS) And here the government thinks a need for private parties to be able to help each other within a secured almost anonymous settingis important, since no one wanted to disclose what is actually happening on a detailed manner on their network.
But one of the evident aha moments seemed to be that the government needs to tell small and medium businesses that there is a real need for cyber security done right. Out of that conversation there was a sense that it would be nice to have a digital “Smokey the Bear”
smokeybearimage
Since it is always nicer to promote cyber security with an image 🙂