Cyber security continues to be a hot topic. October was Cyber Security Month, and it was filled with conferences, academic discussions, and bold pronouncements by industry groups and individual firms. In my mind, we are forgetting a key element, and the one attempt to address it was lost in the noise.

This major disappointment occurred late in the month. A consumer security software company named AVG released a white paper that focused not on their products, but rather, on personal responsibility. Perhaps the public was tired of cyber security by then, perhaps it was just not “cool” enough; I just know it was completely overlooked.

We had a paper that called for a good education program, a wide ranging training regime, and leadership on all levels. The purpose of the entire program was to improve the cyber personal hygiene of the American Public. It was largely ignored.

This is unfortunate. We can clean up a majority of our cyber vulnerabilities if we could fix the incorrect behaviors of our public. Everyone uses cyber devices today (at least computers and cell phones), from small children to senior citizens. Their personal hygiene habits while using these devices create up to 70 percent of the cyber “openings” exploited by bad guys. These incidents occur on home computers, home wireless networks, smart phones and extend to work computers and mobile devices as well. The same bad procedures, lack of attention to detail and slowness to protect with simple software fixes (most never get to it) plague us across the digital world.

That a company that sells software would call for education and good habits is laudable. There was little focus on software at all, and what was there was brand agnostic. They honestly seemed to want to improve behavior.

Bottom line is that we need a multilevel effort. It begins with awareness; the threat must be made real to the American people but without claiming that the sky is falling. Next, we need detailed education available (mandatory would be better) on all levels, from the earliest through post graduate. This also needs to continue and spread to our active work force. It has to go beyond a yearly training video and be regularized, tested competency that is a business imperative. There should be a wide use of good quality basic defensive software (my emphasis, not AVG’s). People need to understand the need for this and help in using it properly.

Operating system manufacturers need to get better at propagating their patches. They are better now than ever before, but more often than not, they are too late to prevent intrusion. Businesses need help fostering this. Banks should require defensive software (perhaps give it away!) as a prerequisite for online banking. Other organizations (online travel, online retailers) should do it as well. Businesses must step up to help. Lastly, the government should show leadership – national education campaigns as a virtuous use of federal power and reach. Let’s see them use it.

We need exactly the sort of campaign called for in AVG’s paper. The 29 May Presidential Report called for it, experts all agree we should do it; where is it? The longer we wait to begin this process, more vulnerabilities will be created and more bad habits will develop. Industry should step up and lead this effort, as the government seems to be unable to shake off the cobwebs and get it done. America needs it and needs it now.

Dr. Steven Bucci is director of the Allison Center for Foreign Policy Studies at The Heritage Foundation. He was previously a lead consultant to IBM on cyber security policy. Bucci’s military and government service make him a recognized expert in the interagency process and defense of U.S. interests, particularly with regard to critical infrastructure and what he calls the productive interplay of government and the private sector. Read More