Cybersecurity Awareness Month turns 20
October, as you might have noticed, is Cybersecurity Awareness Month. Now in its 20th year, this aims to bring the public and private sectors to work together to raise awareness about the importance of cybersecurity.
As always industry experts are keen to use the event to offer views on the security landscape, here we round up some of their comments.
Andrew Hollister, CISO and VP Labs R&D at LogRhythm, says, "Each year, Cybersecurity Awareness Month serves as a valuable reminder of the critical importance of fortifying our organizations' cybersecurity posture in an increasingly interconnected world. This year, Cybersecurity Awareness Month's focus is on four key behaviors: enabling multi-factor authentication, using strong passwords and a password manager, updating software, and recognizing and reporting phishing attempts -- all essential practices in safeguarding against cyberattacks. Our growing reliance on digital technology within the business landscape is accompanied by escalating threats and vulnerabilities that pose significant risks to sensitive data, financial stability, and even national security."
Christopher Cain, manager, threat research at OpenText Cybersecurity, says, "One of the biggest misconceptions about cyber-attacks among employees is a resignation or fear that attacks are inevitable, especially when we continually see headlines reporting on giants, like MGM, falling victim. The truth is only a select few cyber-attacks are technically complex and even those typically rely on some amount of human error. While there is no one 'simple trick' that we can teach employees, ongoing education through security awareness training, a little common sense, and even a healthy dose of paranoia can make a world of difference. If everyone took the time to be cautious about things like emails, passwords, typos and access, many attacks could be avoided. It's the basics that we continually forget -- inspect email headers, never clicking on links in emails or opening attachments unless you’re certain they are safe. And of course, keep passwords complex and updated even for personal accounts and whenever possible enroll in multi-factor authentication. Lastly, avoid overthinking and simply take responsibility for what you can control."
A recent report revealed that just 52 percent of employees report cyberattacks, with nearly half of those employees citing 'fear of repercussion' as the main driver behind keeping scams a secret. Fear should never be a reason for cyberattacks to run rampant in an organization. As we observe Cybersecurity Awareness Month, we should discuss the importance of creating an open and supportive environment for employees who fall victim to cyberattacks.
To achieve this, organizations need an approachable security team or SOC that encourages vulnerability and transparency. If an employee is phished or encounters a scam, they should feel comfortable consulting their security team and their requests for help or guidance should be welcomed. At the same time, employees must take an active role in supporting their organization's security by participating in cyber risk trainings and monitoring for potential scams. By having an approachable security team focused on inclusion, organizations can create a culture of hyper-security awareness, combined with a community dedicated to security collaboration to protect against today’s evolving threats.
Jeff Johnson, manager, security operations at MorganFranklin Consulting Cybersecurity, recommends creating a separate network for smart devices, "As a cybersecurity expert, I often advise individuals to establish two separate Wi-Fi networks in their homes: one for 'smart' devices and one for personal devices like laptops and PCs. The reason behind this recommendation is simple: 'smart' devices, especially those no longer supported by manufacturers or from companies that have ceased to exist, can pose security risks. These devices often lack security updates, making them vulnerable to cyber threats. By creating separate networks, you can effectively isolate these devices from your personal information on your PCs. The good news is that many modern routers support multiple networks, including a guest network, making it a relatively straightforward setup. This simple precaution can significantly enhance your home network's security, protecting your personal data and devices from potential vulnerabilities associated with 'smart' devices."
Matt Tuson, general manager, EMEA at LogicMonitor, expects to see a shift in defensive thinking:
Over the last two decades, the field of cybersecurity defence has flourished into an advanced, diverse field. However, I think that we will soon see a real evolutionary step take place, which takes us beyond just manning the barricades against digital foes. Businesses are learning that, regardless of whether downtime comes from adversarial attacks or internal technological failures, the bottom-line impact is much the same, and what really matters is getting back to a state of health as quickly and smoothly as possible.
A digital immune system (DIS) approach, built around a mindset which is more agnostic as to the source of problems and more unified in its focus on recovery, will come into focus as a better way of organising teams and technology to create valuable outcomes. The good news for those who have spent years building cybersecurity expertise is that this change will put them closer to the heart of business value. Everything we have learned about resilient systems, designed redundancy, and human psychology will become relevant to business thinking more broadly. Together with more unified data practices and AI tools to action that data, the digital immune system is going to shift the goalposts from the well-defended enterprise to the self-healing enterprise.
Josh Bartolomie, VP of global threat services at Cofense, thinks it's important to focus on the human angle, "Contrary to the belief that technology alone can eliminate vulnerabilities, it is essential to recognize that your workforce constitutes one of the most important lines of defense. They play an indispensable role in guarding against cybersecurity attacks and compromises. Organizations need to invest in their employees, imparting not just the ability to recognize suspicious activity but also to foster a culture where reporting such concerns and incidents is encouraged and even incentivized. Additionally, in cases where threats manage to elude employee vigilance, Security Operations Center (SOC) teams must possess the capability to identify, trace, and neutralize these risks swiftly and efficiently."
This is echoed by Carla Roncato, vice president, identity at WatchGuard Technologies, "As we observe the 20th anniversary of Cybersecurity Awareness Month, one thing is certain: attackers know that the easiest path to compromise an organization is through human error and social engineering. In fact, the human element is consistently ranked as one of the top factors driving breaches year after year. According to the Verizon 2023 Data Breach Investigations Report 74 percent of breaches involve the human element -- which is why verifying access requests with multi-factor authentication (MFA) is a necessity for everyday protection. Password-only authentication is not just inadequate, it's antiquated. The number of stolen credentials available for sale on the dark web surpassed 24 billion last year; for those keeping track, that's three credentials per human on the planet. No one is immune. Sadly, the Dark Web Price Index shows stolen credentials can start as low as $1, with average prices only going up from there for a broad range of specific categories and options. Compared to the cost, disruption, and overall negative business impact of a data breach or ransomware attack, MFA is not only incredibly affordable but easily worth the effort to implement. #MFAeveryday."
Jeff Reich, executive director of IDSA says:
So far, 2023 has shown us that all it takes is one compromised identity to have a huge effect on the targeted organization, the industry vertical, and society at large. And year after year, the IDSA’s research demonstrates that it takes more than a strong password to keep bad actors at bay. Today's questions swirl around what it will take to stem the increasing onslaught of identity-related breaches. From the Least Privilege principle to Multi-Factor Authentication (MFA), routine access reviews, and Zero Trust, it will take parts of each of these, plus more, to address this problem.
The bigger question is, how do we get this done? Security, as part of a larger risk management program, is the answer. This year marks the 20th anniversary of Cybersecurity Awareness Month and the new theme is Secure Our World. This is appropriate because, as we have seen, the effects can and do shape events around the world. By continuing to better educate ourselves and raise awareness around this global issue, we will solve this problem.
Finally, Mike Rothman, faculty member at IANS Research, and chief strategy officer and GM of Techstrong Research offers some simple advice, "Avoid storing data on personal devices: A crucial but often overlooked practice is discouraging employees from storing work-related information on personal devices or using personal email accounts for work purposes. Encourage the use of cloud services provided by the organization for remote work. If these resources aren't available, make it clear that circumventing controls by using personal devices isn't an acceptable solution."