Cybersecurity Awareness Month: Another year of challenging the 'inevitable'
Cybersecurity Awareness Month does precisely what its name suggests. It serves as a reminder of the sector's importance for businesses and consumers across the globe.
As we look back on yet another year where threats have continued to evolve, and the task at hand seems greater than ever -- it's important to take cognizance of the cyber-dangers out there and recognize our roles in the fight against 'hackers'.
So, what are the biggest threats keeping CISOs up in 2023?
AI-generated threats are essentially the 'talk of the cybersecurity town' this year and the most pressing issue on Paul Inglis, SVP, EMEA at ForgeRock's mind: "AI is being increasingly weaponized against businesses and consumers to conduct ultra realistic and highly targeted phishing campaigns. It's increasingly difficult to spot what's real from what's fake. While we've seen some politicians and celebrities mimicked to cause reputational damage, many other deepfakes are being circulated to steal money or credentials. And all a hacker needs is an Instagram story or a TikTok video to create an audio and video likeness in a matter of seconds."
And Paul's not the only one heralding the warning. Simon Horswell, Fraud Specialist at Onfido, states: "Fraud continues to rise to new levels, enhanced over the last year by the impact of generative AI. Fraudsters are using it to craft scams such as fake IDs, voice cloning, and deepfakes, and as bad actors adopt the latest technology for offensive means, identity verification companies such as Onfido have put in place many defences and are continuously monitoring and mitigating new fraud vectors."
But it's not all about AI. The same old threats are still raring their ugly heads. F5's Threat Research Evangelist, Sander Vinberg, sees credential stuffing as a particularly pertinent ongoing threat: "Credential stuffing is widely recognized as a fundamental source of cybersecurity risk. It is, in essence, a numbers game." However, the only silver lining is that the process remains somewhat inefficient: "It hinges on the fact that people reuse passwords, but the likelihood that any single publicly compromised password will work on another single web property is still small."
Credential-based threats are also front and centre for Renske Galema, Area Vice President Northern Europe, CyberArk, who states: "High-profile cyberattacks using stolen or leaked employee logins to breach and hijack entire IT systems are on the rise, but over half (55 percent) of UK workers still use insecure practices to keep track of their credentials, causing headaches for security teams. Amid ongoing economic turbulence and a continued cyber skills gap, threat actors are continually innovating to access critical data and assets to cause monetary and reputational damage."
If there’s one vulnerability that has continued to be a thorn in the side of CISOs everywhere, it’s their own employees. Lacework’s CISO, Lea Kissner shares this sentiment: “Insider threats should always be top of mind for CISOs. I worry about what someone can do if they managed to take over an employee's access (e.g. malware, account hijack), that they might hurt our customers or our coworkers.”
It's important to acknowledge that even though new threats are emerging on what seems to be a daily basis, the older and 'less exciting' methods are just as crucial to guard against.
Talking about guarding, let's see what experts have to say about keeping businesses and consumers safe.
Keeping businesses safe in 2023
As more companies continue to digitally transform, moving towards IoT-connected solutions, such as smart appliances, to evolve their business capabilities, David Collins, Product Management EMEA at Cradlepoint, recognizes that: "The best option for them is a converged network and security solution, optimized for 5G, which includes secure access services edge (SASE) principles. As part of these, the Zero Trust Network Access (ZTNA) principle provides a great foundation where the network plays a major role in protecting IoT devices."
The continued rise in online transactions shows no signs of slowing down, so businesses must ensure their processes are watertight as we look to end the year. Sameer Hajarnis, SVP and GM Digital Agreements at OneSpan agrees: "With so many high-value transactions conducted online, getting customers to trust that the digital agreements they're making are secure is top priority. Businesses need to ensure their security measures are bolstered with tighter verification practices, such as continuous identity verification and biometric authentication, and that these are woven throughout the transaction lifecycle."
While deploying best-in-class solutions is crucial to keeping businesses safe, being fully prepared for the eventuality that an incident occurs is equally important. Jake Moore, Global Cybersecurity Advisor at ESET, recommends: "Regular data backups are essential to safeguard against data loss stemming from cyberattacks or hardware failures. Simultaneously, maintaining a vigilant watch over your accounts and access on a frequent basis enhances the detection of compromised passwords and personal information. Finally, it's equally important to account for all your devices -- a practice typically undertaken by larger businesses for ongoing risk management purposes as part of a well-defined cyber-resilience plan."
Evolving threats equals evolving training
As the threat landscape continues to grow, businesses must get training right.
When it comes to training, it all begins with those building our apps, the developers. Veracode's CTO, John Smith, agrees: "With the right developer training, businesses can make a big difference to the security of their software. In fact, our research found the completion of 10 training courses correlates to a 12 percent reduction in the number of flaws introduced by developers. It's never too late to start. Let this Cybersecurity Awareness Month serve as a reminder for developers to brush up on their cyber safety, and businesses to put in place the right training to make these secure practices stick."
Ian McShane, VP of MDR at Arctic Wolf, believes there is specific training we should move away from: "It's important to remind ourselves that the true goal of this month is to encourage more people to understand and adopt behaviors that protect themselves. My hope is that we focus less on things like "punishment training" when small errors are made, which is the least impactful, and instead focus on things that the average person will benefit from. At the end of the day, the business benefit must be the byproduct, not the entire goal."
Similarly, Aaron Rosenmund, Director of Security Curriculum and Research at Pluralsight, argues: "Only 17 percent of tech workers are completely confident in their cybersecurity skills. This needs to change, and to do so businesses must provide cyber teams with opportunities to practice in low-risk environments, and build confidence."
As we look to cap off another year of battling nation-state actors, lone hackers, and employee mistakes, Cybersecurity Awareness Month acts as the perfect reminder to be vigilant. Security teams need to ensure that their organizations are aware of the dangers they face, are prepared to defend themselves and react against a potential hack and provide employees with the best training possible.