The U.S. Center for Disease Control and Prevention has its headquarters in Atlanta. Every time there is a major disease outbreak — or even concerns about one — the CDC makes headlines. It was at the center of the United States' response to the Ebola scare last year. More recently, it reported on the first apparent instance of the transmission of plague via dog to human. When there is a disease story making the rounds, the CDC is on the scene.
In a recent article for Forbes, Dave Lewis pointed out that the treatment of infectious diseases was an evolving but somewhat scattershot affair before the emergence of a centralized hub. When the Black Plague burst onto the scene in the 1300s, for instance, one of the reasons it was able to spread with such uncontrolled virulence is because there was not an organized means of combating it. The disease ended up claiming the lives of millions.
Of course, medicine has evolved hugely since the 1300s. But it is not only vaccines and better treatment options that separate modern medicine from the middle ages. It is also the fact that we have a centralized infrastructure. The CDC serves as an organizing tool for disease research — a place where findings from a wide array of sources are amalgamated, refined and made actionable. With the clear parallels that exist between malware and infectious diseases, the question Lewis asked is this: Is it time for a CDC of malware?
Lewis Makes His Case
Can you imagine the Internet without Google? It is a difficult reality to conceive of, and yet once it was the case. When the Internet first emerged, there was no search giant indexing all of its pages. Instead, navigating the Internet was basically a big free-for-all. Now that Google is basically synonymous with computing, we can't dream of a world it.
One day, this same scenario may apply to malware. That is, we will look back in shock at the disorganized way we approached the influx of malware, and say, "Well of course we were always getting attacked — we weren't organized!" Malware, as Lewis points out, has evolved by leaps and bounds since the inaugural strain, a 1988 infection called The Morris Worm, whose greatest threat was that it slowed down computers. Today, malware does not just slow down computers — it commandeers them, steals from them, wipes them clean. It does not just threaten individuals and businesses, but also critical infrastructures. So where is our malware CDC?
"Oddly, we don't appear to have arrived at that stage in the evolution of malware response," Lewis states, which he "find[s] ... rather confusing."
But just because a malware CDC does not exist yet doesn't mean it could not materialize in the near future. In order for such a development to take place, we'd likely need a few preconditions in place:
Having a Malware CDC Won't Absolve Businesses of Defensive Responsibility
- Enterprises would have to agree to information sharing with the agency, so that the malware CDC could acquire as much timely threat data as possible. This company transparency would be vital in generating the composite picture of the threat atmosphere that the hypothetical center would need.
- Similarly, businesses offering antivirus solutions will need to engage in intelligence sharing with the organization in order to bolster the center's knowledge.
- The center will need to carry out large-scale recruitment efforts to reign in the best and the brightest in cyber solutions.
If you are a business leader reading this article, you may be looking at it thinking that a malware CDC means your business won't have to worry about threat protection anymore. But that is the wrong line of thought. Just because the CDC exists, do you decide not to get vaccines — or wash your hands for that matter?
Were a malware CDC to arise, it would serve to augment — not replace — business cyber preparedness. Enterprises would still have a responsibility to take all the proactive steps toward solidifying a well-defended network, including:
- Implementing two-factor authentication: The password is becoming an increasingly flimsy means of protecting anything. With all the password breaches hitting headlines, it should come as no surprise that a password alone is not enough to guard your business. Two-factor authentication offers the additional identity-verifying wall your enterprise and its users need to keep out malicious intruders.
- Educating employees in cybersecurity best practices: One weak link can undo even the best enterprise security plan. And most of the time, that weak link will be an employee who does not know the best practices for business cybersecurity. If an employee makes an error, that's not on them — it is on you, as the business administration. For all organizations, it is imperative to educate all employees in the fundamentals of safe company computing, in order to prevent them from doing something like accidentally downloading a malicious file, which could make the entire business network vulnerable.
- Ensuring that mobile devices are guarded: So you have robustly secured every computer in the office. That's all well and good — but what about employees who use their mobile devices for work? Mobility is the way of the present and future in terms of boosting business productivity, but it also opens up the possibility for new attack vectors. This won't be a problem, however, if your business takes the steps needed to defend against mobile threats. By putting in place a robust mobile defense strategy, organizations ensure that the mobile devices that play such a pivotal role in day-to-day business are also defended with first-rate strength.
Hopefully a malware CDC will arise. But whether or not it does, companies need to remain on the defensive and remember that an overarching malware prevention center does not mean businesses should adopt any degree of complacence when it comes to security. At the end of the day, the fight against malware is something that requires energy at every level.