Enable breadcrumbs token at /includes/pageheader.html.twig

CISA Aims To Change Human Behavior for the Better

A study showed lack of basic cyber hygiene and emphasized CISA’s vital role in protecting the most vulnerable communities.

University of Wisconsic students engage in a tabletop exercise facilitated by the Department of Homeland Security and CISA. Photo by Wisconsin National Guard.

As the level of sophistication rapidly grows within the digital world, everyday activities require an increased level of security, especially in the cyber domain. While modern technologies create opportunities for a safer environment, they concurrently allow opportunities for bad actors with malicious intent.

“Clearly there’s an international nexus of this, with China, Russia, Iran and North Korea,” Robert Nadeau, partnership branch chief for the Cybersecurity Infrastructure Security Agency (CISA), told members of AFCEA International’s Homeland Security Committee during their December meeting. The agency, according to Nadeau, works very closely with international partners to create robust information-sharing mechanisms to mitigate threats.

“Any disruption has potential for cascading impacts,” he said. Currently, CISA is focusing on the more vulnerable communities at risk: K-12, healthcare, water wastewater and elections. “As we’ve seen, the impacts on these sectors have significant ramifications for both the services they’re providing but also on their customers, their vendors, their employees, on patients, on school officials and students.”

Just weeks ago, Iranian-backed cyber attacks targeting the U.S. Water and Wastewater Systems Facilities—due to their use of Israeli-made industrial control systems—demonstrated the crucial need for preparedness. Working alongside the Federal Bureau of Investigation and the National Security Agency, CISA ensures awareness of resources to help reduce risk and take appropriate action against future attacks.

To fill in the missing pieces, CISA conducted a research study to better understand the general population’s thoughts on basic cybersecurity requirements. “A couple of interesting things came out,” Nadeau stated as he listed the following findings:

More than 50% of respondents use their electronic devices at least four hours per day.
63% of those surveyed keep software updated.
34% have automatic software updates enabled.
35% have complex passwords.
26% use password managers.
24% use multifactor authentication.
36% refer to family and friends for cybersecurity advice.
38% use repeat passwords.
And 58% of people still write all their passwords down on paper.

"People find it difficult to take the four actions [using password managers, watching out for phishing, enabling multifactor authentication and updating your software] that we are constantly pushing during Cybersecurity Awareness Month,” Nadeau stated. “As technology continues to increase and improve, there’s going to be new ways that these attacks take place.”

No-click-phishing attacks, for example, have recently entered the threat landscape. “You just get the text or email, and you don’t even have to click on the link anymore,” Nadeau said. Simply opening the email, he explained, will cause substantial harm.

Additionally, Nadeau told the group that his team recently met with the World Institute on Disability. “Can we really assume that everybody has equal ability to implement those actions?” he asked. The feedback is helping implement changes to make cybersecurity practices most accessible to all groups.

Of note, the newly launched Secure Our World cybersecurity readiness program rolled out on September 26 to help change human behavior toward safer cyber hygiene. Being secure by design is key, Nadeau emphasized.