Avoiding Cybersecurity ComplacencySecurity Index Falls to Lowest Point in Years
Americans are not overly concerned about their own cybersecurity - according to Unisys' latest security index - yet CISOs can't become overly complacent, says the company's Steve Vinsik, who analyzes the latest index results.
The Unisys Security Index for the first half of 2013 stands at 120, the lowest level since the information systems integrator began tracking Americans' attitudes toward security in 2007.
That relative optimism comes at a time of high-level security incidents, from distributed-denial-of-service attacks targeting American banks to a breach of South Carolina's tax system. The study was conducted before National Security Agency systems analyst Edward Snowden leaked information about top-secret intelligence-collection programs.
"People are not really experiencing the impact of those broader cybersecurity attacks," Vinsik says in an interview with Information Security Media Group [transcript below].
Vinsik attributes that low level of concern to an increase in cybersecurity awareness campaigns. He also says the level of security around online transactions has improved. "As long as we continue to go down that path and stay with being able to allow the end user to have that increased security, the CISOs of the world can breathe a little easier," Vinsik says.
But he cautions that CISOs can't be complacent as security incidents mount. "We need to pay more attention because you're seeing more coordinated cyber-attacks that are looking for those kinds of big-bang hits," he says.
In the interview, Vinsik also discusses:
- Why the index is at an all-time low;
- Factors that make up the index;
- Americans' perceptions of their own personal security.
Vinsik is responsible for Unisys global enterprise security portfolio, which includes solution engineering, marketing strategy, delivery and relationship management for technology and services partners. Over the past 18 years, Vinsik has led field operations teams that conduct research and development, application development and systems integration for information security programs that span biometric and surveillance technology integration; command and control application; secure cloud solutions; security architecture; physical security and cybersecurity; and information systems domains.
Concern over Cybersecurity Falls
ERIC CHABROW: Unisys has been putting out the security index since 2007, and it's at its lowest level ever. With President Obama speaking publicly about the cyberthreat, including in his State of the Union address, there's so much news in the mainstream media about DDoS attacks against banks, the Chinese infiltrating key government, military and corporate networks to steal secret weapon designs and intellectual property. Isn't it strange that concerns about security are at its lowest level?
STEVE VINSIK: It's really quite amazing. ... The survey covers national security, financial, Internet and personal security, and, within that, obviously cybersecurity is one of the main areas that we focus on. If we look back over the last couple of surveys, the level of concern in the United States has dropped to its lowest level ever recorded. What we've seen is a pretty big shift over the last two years around security concerns and I attribute that to a couple of different things, [one being] the tremendous amount of awareness campaigns that have occurred over the last couple of years around cybersecurity issues and how to conduct transactions more securely online. The other is a lot of the visibility around the big cyber-attacks that have occurred and what the impacts are of those from a broad perspective. But I think what we're seeing is down at the individual level, people who are not really experiencing the impact of those broader cyber-attacks. They're not feeling it personally and so, with the increased awareness and the threats that they're seeing, it's just not something that's affecting someone at a very personal level right now.
Familiarity and Concern
CHABROW: When I read the results, it seems there's a correlation between familiarity and concern. For instance, as more people use online shopping and banking, their concerns about security are falling.
VINSIK: I think that's right. To your point, they're more comfortable with conducting transactions online. They understand the process. They know it requires certain passwords and they're comfortable with a history of working with certain vendors online that they haven't experienced any kind of cyber-attacks against them or stolen identity against them, so they're more comfortable in conducting transactions. We're seeing that level of "a lot of the organizations are doing the right things about security so I'm comfortable sharing my information with them."
False Sense of Security?
CHABROW: Is that lulling say chief information security officers at businesses and government agencies these people deal with into thinking that they're providing adequate IT security?
VINSIK: Right. That's the issue that we're looking at here. Everything that the government is doing today or the commercial sector is doing today around cybersecurity and protecting people's identities online - is it enough? Obviously, we're seeing a lower concern level from the citizens who responded to the survey, so you kind of correlate that back to maybe we're doing all the right things we need to.
I think we have to look at it from two different perspectives. One, there certainly is a level of security that has been enhanced for conducting transactions online where the web servers are more secure. The way that we conduct transactions with the need for strong passwords - sometimes you have to have a secondary password or a pass code that gets sent to you in order to complete that transaction, or it verifies your e-mail address or phone number - all those features and functionality to increase security, that stuff has worked. As long as we continue to go down that path and stay with being able to allow the end user to have that increased security, the CISOs of the world can breathe a little easier on that side.
But the threat remains and it's very real back within government organizations and commercial organizations that want to do business with consumers, and that's around protecting the data that's within their data center. What happened to that personally identifiable information once it leaves from that transaction from the end-user and then gets stored into a database or into a system back in a data center somewhere or to a cloud infrastructure? That, I think, is where we need to pay more attention because you're seeing more coordinated cyber-attacks that are looking for those kinds of big-bang hits. They're looking to get a lot of information at once, instead of going after the person one at a time.
CHABROW: I wonder whether a general feel-good attitude people have can be reflected in their attitudes towards cybersecurity, and by that I mean about half your respondents say they're seriously concerned about other people obtaining or using their credit/debit cards. But that's still lower than how respondents felt in 2011-2012. The number of respondents who say they're seriously concerned about meeting their financial obligations, about one-third of the 2013 survey, is at a three year low. Is there a correlation between how people view their own financial circumstances or the nation's economy and how they see IT security?
VINSIK: I think there is as well. One of the most interesting questions and results there is the last one that you touched on around the ability to meet an essential financial obligation. The trend over the last three years is it's just dropped significantly from close to 50 percent that were extremely concerned around meeting their financial obligations back in 2011, to today where it's roughly 30 percent or so that are concerned. [There's] a tremendous drop in that and I think it's that sentiment that goes along with it. I'm more comfortable in my situation and I don't have the security concerns from different angles that are coming after me. If you have a lower level of concern about financial security that correlates back into, "Do I have lower levels of concern around personal theft of my credit card," then you combine those together and you get a general sense of, "I'm doing okay." If you had all of sudden maybe a spike in a health epidemic that came out, you would see an increase in concern about health epidemics - for example, a new type of SARS or something else that comes out - what we would see is probably a trend towards a greater level of concern around other parts of the security in our lives, around cybersecurity included.
CHABROW: Is there anything else you want to point out about the survey, any fact that interests you that you think our listeners should know about?
VINSIK: One of the really interesting facts here is around the personal security that we have. We conducted this survey just prior to the Boston Marathon bombing attack, and what we decided to do was go around and do a second survey just for that one question around national security concerns immediately after the Boston attack to see what was the difference. This way, we could just judge if there's a sense of complacency that's in place where people are just not as concerned anymore because something hasn't happened. With this incident that occurred, did that impact the way people's perceptions were around their personal safety and national security?
What we found was there was really no change in people's perceptions. We conducted our initial survey in early March and then we conducted the second follow-up survey on this April 26. The Boston Marathon bombing occurred April 15. What we saw though was there was really no change. Around 45 percent of the population was still seriously concerned about national security issues and it didn't significantly change before that bombing or after it. It's not necessarily just a complacency issue that's in play here because something hasn't happened. It's more to the credit of how the response was to this Boston Marathon bombing, how quickly we were able to find out who did this, control the scene, and there wasn't a great aftermath afterwards. People feel that there's more being done around security, and because of that they're feeling more comfortable that we're taking advantage of the security features and functions that the government has put in place to help protect us.
CHABROW: Do you think those feelings are justified?
VINSIK: We always need to remain vigilant. The U.S. government has done a tremendous job in being able to increase the level of security and thwart a number of terrorism attacks that could have happened over the last couple of years. The government is doing a lot of great things in this space, especially around the analysis of all the data that's out there to help be a little bit more predictive. The government and the systems that we're implementing today are helping us to get to more of a predictive capability to detect threats.
Then, when something happens, we have all the systems and technology in place to rapidly pull together to a command environment and identify what the real threat is at the time of that incident. In that respect, it's justified. But it's important that we still maintain that vigilance and don't get too complacent with it because, again, at the end of the day it's about people being able to detect behavior that just doesn't quite seem right and be able to alert people to let them know about it.