Cybersecurity Awareness Month turns 20! What are the biggest cybersecurity challenges currently facing organizations?
It’s the 20th anniversary of Cybersecurity Awareness Month, and it’s safe to say a lot has changed in the cybersecurity industry since then. For example, just over the last year, we have seen the meteoric rise of generative AI and the huge impact it is already having on the cybersecurity industry.
Aaron Kiemele, CISO at Jamf, argues that now with the rise of generative AI, the threat posed by techniques such as phishing has completely changed: "With the advancements in large language models for machine learning, such as ChatGPT, cybercriminals are leveraging AI to automate attacks, analyze vast amounts of data, and craft more effective phishing emails or malware to achieve their nefarious ends. We can no longer rely on bad spelling or sketchy formatting."
As well as new threats, Cybersecurity Awareness Month also provides a perfect opportunity to remind people about the basics of cybersecurity such as multi-factor authentication and strong passwords, which are still a struggle for many organizations.
"Cybersecurity Awareness Month serves as a reminder of the critical role that strong passwords and password managers play in safeguarding our digital lives," said Joseph Carson, Chief Security Scientist & Advisory CISO at Delinea. "Weak passwords pose a significant risk as it can be easily exploited by cyber criminals using well known hacking techniques."
Joseph Carson argues that individuals can significantly reduce the risk of falling victim to cyber threats by adopting the practice of using strong passwords, passphrases, and a password management solution.
"To effectively manage this complexity of using multiple strong passwords, use a password manager or consider using a Privileged Access Management solution. These digital vaults offer secure solutions by storing all the passwords in a central secure vault accessible only through a single master password and improve it even further with additional security controls such as Multi Factor Authentication."
Whilst using password managers and implementing good password habits is a perfectly acceptable route forward for organizations, there is also another path. Emre Tezisci, sales engineer, ZTNA Engineering at Barracuda, argues that the other option for businesses is to go passwordless.
"We also know that password-based authentication is no longer always enough to protect identities, given that compromised passwords are responsible for 81 percent of hacking breaches," said Emre Tezisci. "So perhaps it’s time to look seriously at an alternative; passwordless authentication. Many consumer applications and devices already rely on biometrics, including some mobile phones, banking, and payment apps.
It’s important to continue to offer all options, including traditional logins, while helping companies to migrate towards a future of continuous and conditional access, with centralized permissions, self-service access grants and, ultimately, a secure, user friendly passwordless experience."
Eduardo Azanza, CEO at Veridas, is in agreement with Emre Tezisci, and argues that biometrics provide both a more secure and seamless experience for customers.
"Whilst CISA may emphasize the need for strong passwords, we see a passwordless future is coming quickly and for the best," said Eduardo Azanza. "Even with the most robust passwords, threat actors will always find a way into a system they are targeting."
"Biometric solutions offer more robust security, as one’s unique physical characteristics are much more challenging for cybercriminals to replicate or steal. Biometrics, therefore, provides a strong barrier against unauthorized access, an ongoing problem in the world of data breaches. Password cannot match up against this level of security and convenience for users."
However, Sylvain Cortes, VP of Strategy at Hackuity, argues that over the past 20 years patching vulnerabilities still continues to be a major challenge for businesses: "Sprawling IT estates, siloed operations, competing demands between security and operations teams, and a lack of communication, mean that patching becomes a disconnected, painful, and drawn-out process.
"Establishing best practice in patch management is absolutely essential. With ever increasing numbers of vulnerabilities to manage, taking steps to contextualize and prioritize risks has never been more important. Building on the routine practice of patching, organizations must focus on vulnerability prioritization to home in on the threats that really matter to their business."
For some cybersecurity experts, awareness around cybersecurity is no longer enough and will not achieve cyber resilience. James Hadley, CEO and co-founder of Immersive Labs said that the entire organization needs to have the knowledge, skills, and judgment to respond to emerging threats in order to be resilient.
"Outdated training models and industry certifications that organizations have traditionally relied on have failed to make them safer and instead have created a false sense of security -- which is why nearly two-thirds of security leaders now agree that they are ineffective in ensuring cyber resilience.
"Continuous, measurable exercising across your entire workforce -- from the storeroom to the board room -- provides businesses with the insights they need to understand the current state of their cyber resilience and where their weak points lie. It also creates a more positive cybersecurity culture that encourages reporting rather than punishing employees when a breach does happen."
Organizations now being prepared for a breach is crucial. Christer Swartz, Solutions Marketing Director at Illumio, believes that businesses should be simulating a cybersecurity breach and then monitoring how well the chosen cybersecurity platform protects resources across the breach’s lifecycle.
"Security best practices recommend doing this using some form of penetration testing, also known as a pen test, on selected production resources.
This is a time for organizations to assess their networks’ vulnerabilities and then allow either internal or external personnel -- sometimes referred to as 'ethical hackers' -- to try to bypass security solutions and access internal resources.”
Cybersecurity Awareness Month is a time for organizations to have honest reflections. It’s not about checking if the cybersecurity basics are done, but organizations going above and beyond. Darren Williams, CEO and Founder at BlackFog advises organizations to follow CISA’s four-step advisory but to also go further.
"Businesses must do everything they can to secure their data and prevent ransomware attacks leading to extortion by adopting next-generation preventative cybersecurity tools, such as anti-data exfiltration (ADX). This will ensure that when the inevitable attack does occur, any data loss will be prevented.
Avoid delay when it comes to reporting a cyberattack. The sooner organizations announce a data breach, the faster law enforcement and external help can respond and work toward a resolution. Organizations with good communication can limit damage and prevent reputational damage."
On the other hand, Tyson Whitten, VP of Global Marketing at Jscrambler, sees Cybersecurity Awareness Month as an opportunity for organizations to address new compliance regulations such as PCS DSS 4.0.
"With a busy holiday season on the horizon, businesses should prioritize implementing practices to comply with the two specific new requirements, as they directly improve the security of payment pages," said Tyson Whitten.
"Requirements 6.4.3 and 11.6.1 should be followed to ensure all third-party scripts are authorized and documented with functional integrity checks in place. These practices can be used to detect tampering and unauthorized activities. With full observability over activity, businesses can sound the alarm and act quickly on potential threats."
Cybersecurity Awareness Month is still extremely important in raising awareness around getting the cybersecurity basics right. However, businesses must understand that in our complex cyber threat landscape, doing the basics is no longer enough. They should be extending beyond the basics to properly deal with ever evolving and new cyber threats to ultimately increase cyber resilience.
Robin Campbell-Burt is CEO at Code Red.