The widespread use of recommended information security practices and updates is lacking in most industries in the United States and with it allies, leading to some of these companies being attacked through cyber space without even knowing it, Army Gen. Keith Alexander, the director of the National Security Agency and commander of the U.S. Cyber Command said recently.
“Very few” companies are doing all that they can to filter out botnets, malware and viruses, and update security with the proper patches, Alexander said at an government symposium hosted by computer security firm Symantec [SYMC]. The exceptions include the banking industry and “higher end” portions of the defense industrial base, but “then you have some companies that are getting exploited and they don’t know what the threat looks like or what they should do, and some of those are in critical infrastructure,” he said.
There isn’t a lot of consistency within industries when it comes to strong cyber security practices, Jenny Manna, acting director of the U.S. Computer Emergency Readiness Team within the Department of Homeland Security, said during a panel presentation on protecting critical information technology assets. The financial sector has a lot of sophistication with cyber security but even here there are companies that don’t do it as well as others, she said.
Alexander said the lack of consistent strong security practices coupled with the fact that many companies don’t know that they have been penetrated and are having intellectual property stolen from them begs the question of how can the government help them? And what is the right forum for government and industry to work together and how they can partner to mitigate security gaps, which is at the heart of cyber security legislation under discussion within Congress, he said.
Alexander said his biggest concern regarding threat posed to U.S. and allied industries is the theft of intellectual property.
“Everybody is being exploited,” he said.