Common Sense Is Key To CybersecurityCommon Sense Is Key To Cybersecurity

A user's own common sense may be the best defense against cybervulnerabilities within companies and at home. That was one of the clearest messages to emerge from a House Government Reform Technology Subcommittee hearing Wednesday to review government and industry's efforts to raise cybersecurity awareness.

Legislation such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act help the cause of cybersecurity by communicating to businesses that the government is serious about improving the security of data, Federal Trade Commission commissioner Orson Swindle told the subcommittee Wednesday. "But it will take competitive pressures as well as legislative pressures to get companies to provide adequate cybersecurity," Swindle said. "Legislation alone will not solve this problem. By the time legislation is passed to solve one problem, there will be a new problem."

Swindle and Amit Yoran, director of the Homeland Security Department's National Cyber Security Division, noted at the hearing that there are several basic measures companies and individuals can take to combat cybervulnerabilities and identity theft. One is as simple as shredding documents with names and other important information. Another is to install firewall software between a private or business network and the public network. Still another is for individual users to think before opening suspicious E-mail and attachments.

"These simple steps can save companies a lot of grief," Swindle said. "Creating a culture of security is a journey and not a destination, and leadership is essential."

While identity theft has grown into a serious problem--Swindle said about 27 million people over the past five years have experienced some form of identity theft--the most-efficient way to combat this problem is to educate people about practices such as phishing and carding, where identity thieves deceive consumers into disclosing their credit-card numbers, bank-account information, Social Security numbers, passwords, and other sensitive information.

Businesses and government agencies continue to be burned by their inability to protect their own information, as well as information about their customers. Most recently, Tower Records agreed Wednesday to settle charges from the FTC that a flaw in its online checkout system exposed customer information in violation of the company's own security and privacy statement on its Web site.

And after a long battle with the Federal District Court for the District of Columbia, the Interior Department continues to be unable to prove the security of its Indian Trust Asset and Accounting Management System, designed to manage trust-fund money owed to American Indians for the government's use of their land. On Dec. 5, 2001, U.S. District Judge Royce Lamberth ordered the shutdown of all the department's computers with Internet access and all of its computers that could access the Indian trust system. Although Internet access has been restored to a portion of the department, this overall cybersecurity issue remains unresolved.

Cybersecurity is more a question of culture and process today than a question of resources, says Payton Smith, manager of public-sector market analysis for research firm Input. While the federal government allocated $1.3 billion to cybersecurity in 2001, that figure is expected to grow to $4.2 billion this year and climb to $6 billion by 2009. In addition, the Office of Management and Budget requires all agencies requesting federal funds to identify the percentage of that money that will be allocated to cybersecurity.

Companies and individual users must be properly educated about online threats to their privacy and the security of their data. Although it's easy to bombard users with so much information that they tune out good advice, said Rep. Adam Putnam, R.-Fla., the subcommittee's chairman, "it's difficult to overstate the timeliness and importance of such measures."