Large enterprises may be under cyberattack, but at least they have the resources, in theory at any rate, to defend themselves.
Both outside and inside government, it’s a different story for smaller organizations, an audience at George Washington University heard this week.
‘With the mid tier, forget about it,’ said veteran cybersecurity executive Scott Kaine, addressing the network security posture of most small and medium-sized critical infrastructure owners and operators.
He said many lacked the resources to properly defend their own infrastructure. ‘That’s where, whether it’s DHS or the National Guard, we need the cavalry,’ he told the GWU Center for Cyber and Homeland Security annual conference Tuesday.
Other panelists agreed. Kristen Todt, recently named executive director of President Barack Obama’s new Commision on Enhancing National Cybersecurity, said the panel would be taking an approach to critical infrastructure that encompassed ‘the small, the medium and the large.’
‘If you look at where the risk resides,’ she added, ‘It’s not always with the top tier.’
Kaine, CEO of penetration testing and security services firm Delta Risk, added that the problem wasn’t confined to the private sector. ‘In the public sector, we see the smaller agencies and departments … also need help.’
In part for that reason, noted Eric Goldstein, advisor to Homeland Security Assistant Secretary for Cybersecurity Andy Ozment, the government was moving to an approach where the focus was the systems, the data, the other assets ‘where the consequences of a breach are greatest.’