Virtualization Technology News and Information
Kicking Off Cybersecurity Awareness Month 2021: Security Strategies are Vital Year-Round


The 18th annual Cybersecurity Awareness Month has officially kicked off this October. Created by the Cybersecurity & Infrastructure Security Agency, the holiday's aim is to raise awareness about the importance of cybersecurity globally, ensuring that everyone has the resources they need to be more secure digitally and safer and more secure online.

The theme is once again, "Do Your Part. Be #CyberSmart," which emphasizes the importance of community in cybersecurity and protecting businesses and individuals alike from threats. While it's important to recognize the significance of implementing security measures to keep digital assets secure during awareness month, it's also vital year-round.  

Below, several technology leaders have reflected on what Cybersecurity Awareness Month means to the industry, and the necessity for businesses to implement a strong cybersecurity strategy. 


Jason Rebholz, CISO, Corvus Insurance

"In light of Cybersecurity Awareness Month, it's critical for organizations to focus on where they can multiply their security efforts. As we look back on 2021, we saw Cyber Insurance pushed into a negative spotlight with some raising concerns that it may have been contributing to the rise in ransomware attacks. It's crucial that we dispel the falsehoods and instead educate on the positive impact cyber insurance has for organizations individually and industries as a whole.

Insurance carriers are an integral component of setting minimum standards for security solutions and technologies across all industries. There is a shared interest between insurance carriers and their policyholders to mitigate risk and keep businesses up and running free of security incidents. Carriers can become an ally and force multiplier for organizations of every size by delivering access to best practices and more affordable security solutions that don't compromise on quality. Organizations that implement cyber insurance will undoubtedly be better armed to protect themselves against the growing cyber threat environment."


James Hadley, CEO and co-founder of Immersive Labs

"Although cybersecurity awareness should stretch further than one month, October serves as an important reminder that organizations should be preparing their teams for cyber threats year-round, no matter how big or small.  

This year has made it abundantly clear that management of cyber risk cannot be left to just a few experts in the security team. Cyber risk now impacts financial, reputational, regulatory, legal, and technical teams. That means the responsibility for mitigation and response now falls on a much broader range of people across the entire workforce. All must be ready to respond and should have the necessary knowledge, skills and judgement to mitigate this ever growing, fast-paced risk."


Stephen Cavey, co-founder and chief evangelist of Ground Labs

"First, I advise organizations of any size to collect only the data they need. When it comes to personal data, particularly medical-related data, there is no such thing as "nice to have" - only what you must collect in order to run your business and deliver your product or service. The consequences of over-collecting personal data are highly visible as the number of reported data breaches continues to rise.

Secondly, this sensitive data must only be accessible on a "need-to-know" basis, and organizations should set that "need-to-know" threshold at the highest possible level. When we think about security within our organizations, we often forget that employees do represent a significant risk to the likelihood of a security breach, which often occurs without their awareness due to an unintended action such as clicking on a malicious email. With a dispersed workforce becoming the norm, ensuring that employees understand the required confidentiality and appropriate handling of customer data is critical to meeting increasingly challenging privacy regulations and ultimately honoring the trust that a customer has placed on your organization with their data.

Finally, with over 70% of organizations not fully understanding where all their data is located, I strongly urge organizations to make data awareness a priority. The technology to achieve this is readily available using sensitive data discovery to map out where all PII data lives within your organization. Through this process, you will quickly learn where data is created, who has access to it, and gain accurate insights into what risks exist around data that require immediate attention."


John DeSimone, vice president of cyber, training & services at Raytheon Intelligence & Space

"Being cyber aware requires constant diligence all year long, but it's also necessary for organizations to take a step back to consider how their security strategies can be improved in order to continuously meet these challenges head on. Cybersecurity is a multi-layered problem which is why every organization should test to reveal vulnerabilities.

I'd recommend vulnerability scanning monthly-weekly if resources allow it-and quarterly at a minimum. Penetration testing should be done at least annually, but bi-annually is better; critical apps or websites you'd want to test more often especially after major changes or releases to ensure that a new vulnerability wasn't introduced. I'd also recommend a Red Team exercise, which mimics what adversaries may attempt to do to break into your organization, to test your security team as well as the detections and controls that you have in place. This should happen at least once a year or when major changes are implemented. These real-world tests will help any organization determine how well they can detect malicious activity that other testing won't find.

Finally, I suggest implementing a Zero Trust framework, where you continually assess your organization's security posture (yes, even internally). Zero Trust Security relies on multiple technologies that have to continuously scan and monitor your users, devices, networks, workload, and data to detect suspicious and malicious behaviors."


David Friend, co-founder and CEO of Wasabi Technologies

"As the former CEO of backup company Carbonite, and now co-founder and CEO of hot cloud storage company Wasabi Technologies, I've seen many companies spend so much time and money on intrusion prevention and detection against ransomware. But it's a losing battle because cyber criminals will always find a way to get in, and vulnerabilities are not always technical - they depend on people never making a mistake. 

One underutilized way to protect your data against cyber threats and ransomware is through object-level immutability in your cloud storage, which means certain files and stored objects cannot be modified or deleted by anyone, even a systems administrator. If you store your backups in immutable buckets, ransomware hackers can't delete or encrypt your backups. Ransomware hackers know that if you can restore your systems from backups, they are unlikely to be able to extort ransom from you. So they try to destroy backups at the same time they are encrypting your primary data. But if you have done your backups properly, when you get attacked by ransomware, you should be able to start fresh and restore your entire system from backups. 

No amount of high-tech prevention will stop ransomware attacks because most of the time the vulnerability is with the humans, not the machines. So my advice is to do the best you can on the prevention side, but more importantly do complete backups, store them in immutable object stores, and test that you can successfully do a full restore before you get hit." 


David Bradbury, Chief Security Officer, Okta

"Cybersecurity Awareness Month is especially crucial this year as we've seen cyberattacks become more sophisticated and more destructive across all industry sectors. If the past year has taught us anything, it's that it has never been cheaper or easier to launch a cybersecurity attack. As leaders, we must remain continuously vigilant to thwart these emerging threats and keep cybersecurity as a top priority for every company. To meet the demands of today's modern users and avoid becoming the next victim of a cyberattack, organizations must move toward a Zero Trust security model and adopt strong authentication across all services, everywhere - from on-premises, to cloud, to mobile, and for employees as well as customers, partners, contractors, and suppliers. In order to maintain this level of vigilance, cybersecurity leaders should keep their team's well-being top of mind by hiring globally, regularly checking the ‘pulse' of your team's work and stress levels, and being open about the organization's broader strategy - these are all key to addressing potential sources of burnout across multiple touchpoints. With our industry also facing massive skills gap challenges, it's also important for cybersecurity leaders to empower their employees to properly train and mentor young IT professionals who will go on to become the security teams of the future. This month should be much more than just a time of awareness for organizations - it should be a call to action to start (or bolster) their Zero Trust journey, address and correct sources of burnout, and to keep an eye on the future development of the profession to meet the evolving challenges in our increasingly identity-centric world."


James Christiansen, VP of Security Transformation at Netskope 

"This is Netskope's second Cybersecurity Awareness Month during the COVID-19 pandemic, which has given us the opportunity to reflect and recognize how we can move the industry forward. As part of this awareness, it is our responsibility to redefine ‘Zero Trust' so that it is more adaptable for companies to implement into their security. This type of trust is at the core of secure access service edge (SASE), which will connect security products across infrastructures and help companies make complex decisions around trust. 

According to a recent report, 70% of users continue to work remotely as of the end of June 2021. During an era when organizations are learning to navigate a hybrid workforce, it is critical that companies have secured their data, which is now being accessed on an abundance of servers. The Great Resignation has shown us that there is a large opportunity to change the security architecture for companies that are at high risk of employees leaving and taking data with them. In fact, departing employees upload 3 times more data to personal apps in the last 30 days of employment. Additionally, many companies are adopting a remote-first approach while onboarding workers all over the country, which calls for a change of traditional security systems and is a large opportunity for cybersecurity companies to offer innovative solutions. 

Realistically, we can never have an environment with no trust because this would mean we have zero interactions. The key to achieving continuous adaptive trust is by having a view of our risks at all times. This includes identifying users, classifying the data being accessed, and looking at the applications used on the network. This will help us better understand who is causing the risk, where it is coming from, why they are doing it, and how this will affect company data. By considering these threats, companies can begin their journey to SASE architecture and be better prepared for the risks they face on a daily basis."


Joe Partlow, Chief Technology Officer, ReliaQuest

"The events of this past year have put a magnifying glass on the longstanding issues many organizations are unfortunately faced with year-round. While each October we celebrate National Cybersecurity Awareness month as a reminder to prioritize such initiatives, the cybersecurity industry should instead use this as a moment - and an opportunity - to consider what can, or needs to be done, to make organizations more secure every day. Whether that’s educating employees about the dangers of social engineering and phishing, using MFA whenever possible, avoiding password reuse and administrative privileges or implementing more fool-proof policies and procedures for employees, these changes must have a lasting impact to reduce the risk at home and in the workplace.
Despite headway this year with organizations working to achieve a stronger risk-based security posture all year round, a recent study from Ponemon Research found that there’s still ample work to be done. For example, 64% of security leaders believe the primary obstacle to implementing IT security risk management is a lack of standardized metrics to measure progress. Additionally, while 57% of organizations are prioritizing secure cloud migrations and another half are looking to implement Zero Trust, the majority are still held back by the lack of visibility. In short, most are still lacking operational efficiencies and actionable metrics that prevent them from detecting threats and making meaningful changes to their security posture. Constantly staying on top of security operations and visibility couldn’t be more critical in today’s landscape. Teams must be empowered with the right support, technology and resources to get the job done right."


Janer Gorohhov, Co-founder and Chief Product Officer, Veriff

"The accelerated digital transformation of companies around the world has led to an increase in fraud rates globally. To combat this increase in fraud and maintain trust and safety online, more organizations must leverage artificial intelligence tools to identify and stop bad actors in their tracks, saving companies money and protecting both their employees and customers."


Michael Khoo, Access Partnership's Senior Policy Manager in Asia

"Every member of an organization has a role to play in cybersecurity today. Just as governments are discussing on the “norms” or “rules” for international cybersecurity, so too do employees and employers need to develop the norms for the workplace to cultivate the right habits and hygiene. This can include simple rules such as not leaving written passwords lying around (or even having them in written form) and keeping software and operating systems regularly patched and updated (please stop fighting your IT department and delaying scheduled server updates!) Good cybersecurity isn’t just the responsibility of the IT department any longer, and all of us play a part in contributing to a safer work environment. These norms should also extend beyond the workplace as digitalization becomes a part of all aspects of our lives as we begin to normalize good cyber habits wherever and whatever we do."


Robert Prigge, CEO of Jumio

"The amount of large-scale cybersecurity breaches we've witnessed in the last year highlights just how creative cybercriminals will get to steal sensitive data and sell it on the dark web. The number of reported identity theft cases more than doubled from 2019 to 2020, while the number of reported data breaches escalated 38% from the first to second half of 2021. With traditional online verification tools such as knowledge-based authentication and passwords, organizations will continue to place consumers’ personal information at risk of being compromised.

Cybersecurity Awareness Month encourages security leaders and executive decision-makers to modernize their security practices in order to adapt to the increased sophistication of fraudsters. In today’s cybersecurity climate, organizations must move away from outdated, obsolete authentication methods and implement more advanced identity verification solutions, like face-based biometric authentication, that confirm online users are truly who they claim to be. This month is also important for educating consumers on how to safeguard their digital identity and manage personal data consent rights online. These best practices are crucial to keep data away from the hands of malicious actors."


Anurag Kahol, CTO and Cofounder of Bitglass

"From cloud misconfigurations exposing massive amounts of sensitive data online to ransomware attacks severely impacting critical infrastructure, this past year has underlined the inherent lack of proactive security across organizations of all sizes. As we move toward a new era of hybrid operations post-pandemic, the sophistication and frequency of cyberattacks will only continue to increase at an exponentially higher rate. Organizations must be prepared to face the evolving threat landscape to protect their employees, corporate infrastructure and sensitive data.

International Cybersecurity Awareness Month serves as a reminder for enterprises to make security a strategic imperative. A vigilant security posture starts with implementing a unified cloud security platform, like secure access service edge (SASE) and security service edge (SSE), that replaces various disjointed point products and extends consistent security to all sanctioned cloud resources, while following a Zero Trust framework to prevent unauthorized network access. Additionally, enforcing comprehensive cybersecurity training for all employees, hiring security experts and continuously monitoring and enhancing cybersecurity postures will ensure organizations are properly equipped to defend their modern operations."


Josh Rickard, Security Solutions Architect at Swimlane

"Cybersecurity Awareness Month serves as a timely reminder for companies to reevaluate their cybersecurity posture after a tumultuous year of cyberattacks across industries.  
The dramatic spike in ransomware and supply chain attacks illustrates that every company, regardless of vertical, is a software company and security will only continue to rise in importance when it comes to ensuring the continued operations of the business.  
To protect valuable information and prevent breaches, enterprises must invest in multi-faceted platforms that centralize and automate detection, response and investigation protocols. Security teams need full visibility into IT environments and the ability to respond in real-time to limit the consequences should a cyberattack occur.  
By automating and centralizing security processes, organizations can reduce the chance of human error while achieving infinitely smoother execution of security-related tasks and ultimately ensuring that highly-sensitive personal information is kept safe and secure."


Karen Worstell, Senior Cybersecurity Strategist, VMware

"In the face of sophisticated, industrial-scale cyberattacks it is tempting to assume we need to build an arsenal of high-power cyber technology as a first priority. However, it truly starts with basic cyber hygiene as a foundational layer in order to establish effective advanced protection against hacks or breaches. Well-managed inventory and configurations, a clean baseline in identity and access management, engaging in regular patching and updates, and endpoint management all go a long way in building strong resilience into an organization's security posture. A foundation of cyber hygiene might not be the bright shiny cool project; however, it sets you up for success in your Zero Trust security journey. When security is built into a Cloud First strategy, getting the cyber hygiene done right is more manageable end-to-end. Zero Trust is not just buzz - it is possible today."

Tom Kellermann, Head of Cybersecurity Strategy, VMware

"By empowering CISOs, we can help relieve some of the burnout felt by their security teams. Elevating the CISO’s role within an organization will help to better ensure cybersecurity measures are appropriately prioritized and that the team leading those measures has the necessary resources and support to combat burnout and build resilience."

Rick McElroy, Principal Cybersecurity Strategist, VMware

"Adopting a cybersecurity-first mindset can be intimidating, but it doesn’t have to be.  A good first step is to implement practices such as weekly threat hunting within employee devices to detect behavioral abnormalities. As we enter the era of the hybrid workforce, remind employees to remain cyber vigilant on their own home networks and keep up with software and app updates that might include security enhancements."


Jason Stirland, CTO at DeltaNet International

"Research from Verizon revealed that 36% of data breaches involved phishing, 11% more than last year and 85% of breaches involved human error. With phishing attacks continuing to escalate, organizations must prioritize training employees on awareness basics, such as how to spot a phishing email. Employees should be able to recognize phishing emails using simple techniques to strengthen the organization's cybersecurity resilience. This might include checking the email address of the sender, looking out for spelling and grammatical errors within the email, and hovering over suspicious links or attachments. These are all prime methods for detecting a phishing email.
Cybersecurity Awareness Month is an ideal time to refresh employees with cybersecurity awareness training. After all, refreshing training ensures employees stay aware about new cybersecurity risks, e.g. this year, credential harvesting and smishing have been popular phishing techniques to watch out for.  
Businesses might also wish to test the effectiveness of their cybersecurity awareness training using simulated phishing emails. This technique allows security teams to distinguish if there are any skills gaps and deploy follow-up training where it’s needed most to protect the business."


Published Friday, October 01, 2021 7:31 AM by David Marshall
Filed under: , ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<October 2021>