A recent survey of cybersecurity practices in American industries and organizations produced a disappointing, if not surprising result. The United States federal, state, and local governments rank the worst in cybersecurity when compared against seventeen major private industries, according to a report from security risk benchmarking startup SecurityScorecard.
In both the United States and Japan, government agencies have become infamous for spectacular data breaches and other hacks. This is surely part of the impetus for recent government announcements in both countries on improving cybersecurity for critical infrastructure and growing the pool of cybersecurity experts.
But while geeks monitor firewalls and OEMs push security patches, nontechnical people must also play a role in keeping their networks secure. Several of Japan’s prefectures and municipalities have appeared in the news recently as they provide non-technical training to their public employees on avoiding phishing, reporting suspicious activity or infection, incident response, and general computer hygiene. These local governments deserve praise for their initiative in securing the most vulnerable component of any information system: the end user.
Other government bodies in Japan and its ally, the United States, can learn from the initiative of the Aichi Prefectural Police and others actively conducting this kind of training. Both alliance partners have been the victims of high-profile failures of information security that could have been prevented by better end user training. Both Japan’s National Pension Service (NPS) and the U.S. OPM data breaches have been attributed to social engineering—tactics that require human intervention to succeed, like phishing. Furthermore, both countries seem to recognize the problem, as U.S. President Obama and Japanese Chief Cabinet Secretary Suga have both stated that they understand the importance of cyber hygiene and cybersecurity awareness for everyday citizens. But, while the problem has been identified, action to solve it has been lagging.
Trying to work around an assumed ignorant user is futile.
To take a step back, most cybersecurity strategies fail to address end users adequately. Most cybersecurity professionals focus on the software or hardware processing the information. They usually think of the end user as a nuisance, if they think of them at all. Unfortunately, “You can’t patch stupid” is a common refrain when it comes to the role of human users in avoiding security incidents. But trying to work around an assumed ignorant user is futile, even when appropriate measures are taken to mitigate the damage any one user can do. Instead, end users must be brought into the conversation about cybersecurity and trained to help prevent security incidents.
However, information security cannot be contained in the IT department or left in the hands of a select group of specialists. Everyone who uses a networked device is vulnerable, and so everyone must participate in maintaining security. When public figures talk about combatting cyberterrorism and protecting networked infrastructure, they may envision technical solutions with stronger firewalls, better encryption, and more stringent password requirements. But changes in culture and practices on an individual level are critical to ensuring the efficacy of these measures in preventing security incidents.
When public figures talk about combatting cyberterrorism and protecting networked infrastructure, they may envision technical solutions with stronger firewalls, better encryption, and more stringent password requirements. But changes in culture and practices on an individual level are also very important.
All the advanced software and hardware in the world will not prevent a breach, if the people in front of the screens do not use it properly. Training end users in how to use security tools—even if the “tool” is simply alerting IT to an issue—is necessary to ensure the effectiveness of information security policies. When the U.S. and Japanese government finally get serious about improving their cybersecurity stances, they will implement end user training and awareness campaigns as major components of their national cybersecurity strategies, as Mie, Yamaguchi, and other Japanese localities have done on a smaller scale. The United States and Japan both have a long way to go in improving their cybersecurity postures. This makes cybersecurity an attractive topic for U.S.-Japan cooperation. Some elements of Japan’s government seem to have begun tackling this issue head-on. It is time now for the rest of the country, and its ally across the Pacific, to follow their example.