Cybersecurity Without Insanity? It could be as simple as 3 – 2 – 1…
This week: $300k for not keeping software up-to-date, and the need to consider the human element in our security strategy. We ain’t clueless – We’re just overwhelmed.
3 – Don’t write checks that your ass can’t cover
A website developer has agreed to pay almost $300,000 to settle allegations that it failed to update the software used on a US federally-funded website.
As mentioned by Secure The Village recently, a website was developed by Jelly Bean Communication Design LLC for the Florida Healthy Kids Corporation, which offers health and dental insurance for children in the US state of Florida. Apparently, Jelly Bean “knowingly failed to properly maintain, patch, and update the software systems” used on the website, which was then attacked in December 2020. The attack resulted in the theft of personal data relating to 500,000 insurance applications. More details on the case are provided in this US Department of Justice’s press release.
It’s a reminder that contractual obligations are not just words on a page.
2 – It’s not a mistake. It’s a learning opportunity.
“To improve security, the cybersecurity industry needs to follow the aviation industry’s shift from a blame culture to a “just” culture [..] In a just culture, errors are viewed as learning opportunities instead of moral failing, creating transparency and enabling constant improvement.”
This is according to Serge Christianns, the director of the Information Systems Audit and Control Association (ISACA) and recently quoted in The Register. Unfortunately, Christiaans says that “he is yet to come across a company that had implemented open reporting without punishment in cybersecurity”.
1 – There’s nothing to learn. We’re just clueless.
“Cybersecurity specialists are skilled, dedicated professionals who perform a tremendous service [but their] heavy dependence on technology to solve security problems can discourage them from adequately considering the human element, which plays a major role in effective, usable security.”
This is according to Julie Haney, who works for the US National Institute of Standards and Technology (NIST). As recently mentioned by Secure The Village, Haney’s findings are described in this NIST article (which is also summarised in a handout here). It details a number of incorrect assumptions made by security professionals. It probably comes as no surprise to non-techies that many “security professionals” assume users are clueless. In reality, they are probably just overwhelmed and suffering from security fatigue.
How anyone could be fatigued by the fascinating world of cyber security is beyond me*.
* yes, I am being sarcastic!