A federal plan indicates that 80 to 90 percent of cybersecurity failures are due to human and organizational shortcomings.

Local officials say one way to shore that up is third-level security identification when a user enters a computer network.

President Barack Obama this week released the Federal Cybersecurity Research and Development Strategic Plan to aid cybersecurity efforts. The plan was developed following the adoption of the Cybersecurity Enhancement Act of 2014, which the president signed into law in December 2014.

Gordon Johnson, chief information technology officer at Western Kentucky University, applauds the federal initiative because federal computer systems are “way behind” regarding cybersecurity. 

“They are woefully out of date,” Johnson said.

One thing needed at the federal level is what is called multi-factor authentication – a third authentication besides a username and a password – he said. The process can include either a text message to the user on a smartphone or an email that includes an additional ID designation.

Johnson said hackers obtain usernames and passwords through a process called phishing – when users are lured into browsing a malicious URL designed as a website that they can trust.

“WKU is moving to requiring the third authentication factor. That essentially adds a very secure layer to the systems,” Johnson said.

He added, for example, that if the federal Internal Revenue System adopts the third-factor approach, there could be a reduction in fraudulent tax returns.

Johnson said the federal government also needs to standardize federal cybersecurity law, rather than having different standards at numerous federal agencies. 

“We have to have a more centralized approach and control within the federal government,” Johnson said.

Kentucky adopted House Bill 5 in January, which sets up specific protocols for when a data breach is discovered. Data breaches at all levels have been reported in recent years in private industry.

Robbie Forsythe, director of technology for Warren County Public Schools, said there must be a balance between the security need for the data, user access to the data and the cost.

“Visualize a building with the data inside,” Forsythe said. “We could make it the most secure building, triple-locked, special doors, but if the cost associated with that building doesn’t balance with the potential misuse of data” then the balance isn’t attained.

“It is the obligation of all employees to protect the security and integrity of all data under their control,” according to the school district’s District Data Management Procedures Guide now in force.

The Council of Better Business Bureaus joined with the National Cyber Security Alliance on Tuesday in supporting the federal plan.

“We are especially grateful to see emphasis being placed on supporting small businesses, which are so often the target of hackers and other cybercriminals,” said Mary E. Power, president and chief executive officer CBBB, in a news release.

The federal plan recommends research into federal cybersecurity priorities and strengthening incentives for public and private organizations to broaden participation in cybersecurity development.

Also recommended is turning research results into adopted technologies.

The plan also noted that the 2015 Mandiant data breach report shows “the median time that adversaries were present on a victim network before they were discovered was approximately six months,” adding, “the actual situation is worse, because this doesn’t include breaches that were never detected.” An adversary is someone trying to hack the network.

The Mandiant data breach report titled, “M-Trends: A View From the Front Lines,” noted that hackers are now front-page news and have been for some time, making cybersecurity a prime issue for business boardrooms.

“In the first few weeks of 2015 alone, the issue was a pillar of the U.S. president’s State of the Union address, the plot of a big-budget film and the opening punchline of Hollywood’s Golden Globe awards broadcast,” the Mandiant report noted.

Hackers will try to illegally enter computer networks “as long as they perceive that the potential results outweigh the likely effort,” the federal plan noted.

The government plan determined that computer users across America will “circumvent cybersecurity practices that they perceive as irrelevant, ineffective, inefficient or overly burdensome.” It also noted as technology connects with both the physical and cyber worlds, “the risks and benefits of the two worlds are interconnected.”

The federal plan noted that currently it takes more to prevent a computer attack than to devise one.

— Follow business reporter Charles A. Mason on Twitter at twitter.com/BGDNbusiness or visit bgdailynews.com.