The 18th annual Cybersecurity Awareness Month has officially kicked off this October.
Created by the Cybersecurity & Infrastructure Security Agency, the
holiday's aim is to raise awareness about the importance of
cybersecurity globally, ensuring that everyone has the resources they need
to be more secure digitally and safer and more secure online.
The theme is once again, "Do Your Part. Be #CyberSmart," which
emphasizes the importance of community in cybersecurity and protecting
businesses and individuals alike from threats. While it's important to
recognize the significance of implementing security measures to keep digital
assets secure during awareness month, it's also vital year-round.
Below, several technology leaders have reflected on
what Cybersecurity Awareness Month means to the industry, and the necessity for
businesses to implement a strong cybersecurity strategy.
##
Jason Rebholz, CISO, Corvus Insurance
"In light of Cybersecurity Awareness Month, it's critical for
organizations to focus on where they can multiply their security efforts. As we
look back on 2021, we saw Cyber Insurance pushed into a negative spotlight with
some raising concerns that it may have been contributing to the rise in
ransomware attacks. It's crucial that we dispel the falsehoods and instead
educate on the positive impact cyber insurance has for organizations
individually and industries as a whole.
Insurance carriers are an integral component of setting minimum
standards for security solutions and technologies across all industries. There
is a shared interest between insurance carriers and their policyholders to
mitigate risk and keep businesses up and running free of security incidents.
Carriers can become an ally and force multiplier for organizations of every
size by delivering access to best practices and more affordable security
solutions that don't compromise on quality. Organizations that implement cyber
insurance will undoubtedly be better armed to protect themselves against the
growing cyber threat environment."
+++++
James Hadley, CEO and co-founder of Immersive Labs
"Although cybersecurity awareness should stretch further than one
month, October serves as an important reminder that organizations should be
preparing their teams for cyber threats year-round, no matter how big or
small.
This year has made it abundantly clear that management of cyber
risk cannot be left to just a few experts in the security team. Cyber risk now
impacts financial, reputational, regulatory, legal, and technical teams. That
means the responsibility for mitigation and response now falls on a much
broader range of people across the entire workforce. All must be ready to
respond and should have the necessary knowledge, skills and judgement to
mitigate this ever growing, fast-paced risk."
+++++
Stephen Cavey, co-founder and chief evangelist of Ground Labs
"First, I advise organizations of any size to collect only the
data they need. When it comes to personal data, particularly medical-related
data, there is no such thing as "nice to have" - only what you must
collect in order to run your business and deliver your product or service. The
consequences of over-collecting personal data are highly visible as the number
of reported data breaches continues to rise.
Secondly, this sensitive data must only be accessible on a
"need-to-know" basis, and organizations should set that "need-to-know"
threshold at the highest possible level. When we think about security within
our organizations, we often forget that employees do represent a significant
risk to the likelihood of a security breach, which often occurs without their
awareness due to an unintended action such as clicking on a malicious email.
With a dispersed workforce becoming the norm, ensuring that employees understand
the required confidentiality and appropriate handling of customer data is
critical to meeting increasingly challenging privacy regulations and ultimately
honoring the trust that a customer has placed on your organization with their
data.
Finally, with over 70% of organizations not fully understanding
where all their data is located, I strongly urge organizations to make data
awareness a priority. The technology to achieve this is readily available using
sensitive data discovery to map out where all PII data lives within your
organization. Through this process, you will quickly learn where data is
created, who has access to it, and gain accurate insights into what risks exist
around data that require immediate attention."
+++++
John DeSimone, vice president of cyber, training & services at
Raytheon
Intelligence & Space
"Being cyber aware requires constant diligence all year long, but
it's also necessary for organizations to take a step back to consider how their
security strategies can be improved in order to continuously meet these
challenges head on. Cybersecurity is a multi-layered problem which is why every
organization should test to reveal vulnerabilities.
I'd recommend vulnerability scanning monthly-weekly if resources
allow it-and quarterly at a minimum. Penetration testing should be done at
least annually, but bi-annually is better; critical apps or websites you'd want
to test more often especially after major changes or releases to ensure that a
new vulnerability wasn't introduced. I'd also recommend a Red Team exercise,
which mimics what adversaries may attempt to do to break into your
organization, to test your security team as well as the detections and controls
that you have in place. This should happen at least once a year or when major
changes are implemented. These real-world tests will help any organization
determine how well they can detect malicious activity that other testing won't
find.
Finally, I suggest implementing a Zero Trust framework, where you
continually assess your organization's security posture (yes, even internally).
Zero Trust Security relies on multiple technologies that have to continuously
scan and monitor your users, devices, networks, workload, and data to detect
suspicious and malicious behaviors."
+++++
David Friend, co-founder and CEO of Wasabi Technologies
"As the former CEO of backup company Carbonite, and now co-founder
and CEO of hot cloud storage company Wasabi Technologies, I've seen many
companies spend so much time and money on intrusion prevention and detection
against ransomware. But it's a losing battle because cyber criminals will
always find a way to get in, and vulnerabilities are not always technical -
they depend on people never making a mistake.
One underutilized way to protect your data against cyber threats
and ransomware is through object-level immutability in your cloud storage,
which means certain files and stored objects cannot be modified or deleted by
anyone, even a systems administrator. If you store your backups in immutable
buckets, ransomware hackers can't delete or encrypt your backups. Ransomware
hackers know that if you can restore your systems from backups, they are
unlikely to be able to extort ransom from you. So they try to destroy backups
at the same time they are encrypting your primary data. But if you have done
your backups properly, when you get attacked by ransomware, you should be able
to start fresh and restore your entire system from backups.
No amount of high-tech prevention will stop ransomware attacks
because most of the time the vulnerability is with the humans, not the
machines. So my advice is to do the best you can on the prevention side, but
more importantly do complete backups, store them in immutable object stores,
and test that you can successfully do a full restore before you get
hit."
+++++
David Bradbury, Chief Security Officer, Okta
"Cybersecurity Awareness Month is especially crucial this year as
we've seen cyberattacks become more sophisticated and more destructive across
all industry sectors. If the past year has taught us anything, it's that it has
never been cheaper or easier to launch a cybersecurity attack. As leaders, we
must remain continuously vigilant to thwart these emerging threats and keep
cybersecurity as a top priority for every company. To meet the demands of
today's modern users and avoid becoming the next victim of a cyberattack,
organizations must move toward a Zero Trust security model and adopt strong
authentication across all services, everywhere - from on-premises, to cloud, to
mobile, and for employees as well as customers, partners, contractors, and
suppliers. In order to maintain this level of vigilance, cybersecurity leaders
should keep their team's well-being top of mind by hiring globally, regularly
checking the ‘pulse' of your team's work and stress levels, and being open
about the organization's broader strategy - these are all key to addressing
potential sources of burnout across multiple touchpoints. With our industry
also facing massive skills gap challenges, it's also important for
cybersecurity leaders to empower their employees to properly train and mentor
young IT professionals who will go on to become the security teams of the
future. This month should be much more than just a time of awareness for
organizations - it should be a call to action to start (or bolster) their Zero
Trust journey, address and correct sources of burnout, and to keep an eye on
the future development of the profession to meet the evolving challenges in our
increasingly identity-centric world."
+++++
James Christiansen, VP of Security Transformation at Netskope
"This is Netskope's second Cybersecurity Awareness Month during
the COVID-19 pandemic, which has given us the opportunity to reflect and
recognize how we can move the industry forward. As part of this awareness, it
is our responsibility to redefine ‘Zero Trust' so that it is more adaptable for
companies to implement into their security. This type of trust is at the core
of secure access service edge (SASE), which will connect security products
across infrastructures and help companies make complex decisions around
trust.
According to a recent report, 70% of users continue to
work remotely as of the end of June 2021. During an era when organizations are
learning to navigate a hybrid workforce, it is critical that companies have
secured their data, which is now being accessed on an abundance of servers. The
Great Resignation has shown us that there is a large opportunity to change the
security architecture for companies that are at high risk of employees leaving
and taking data with them. In fact, departing employees upload 3 times more data to personal apps in the
last 30 days of employment. Additionally, many companies are adopting a
remote-first approach while onboarding workers all over the country, which
calls for a change of traditional security systems and is a large opportunity
for cybersecurity companies to offer innovative solutions.
Realistically, we can never
have an environment with no trust because this would mean we have zero
interactions. The key to achieving continuous adaptive trust is by having a
view of our risks at all times. This includes identifying users, classifying the
data being accessed, and looking at the applications used on the network. This
will help us better understand who is causing the risk, where it is coming
from, why they are doing it, and how this will affect company data. By
considering these threats, companies can begin their journey to SASE
architecture and be better prepared for the risks they face on a daily basis."
+++++
Joe Partlow, Chief Technology Officer, ReliaQuest
"The events of this past year have put a magnifying glass on the longstanding issues many organizations are unfortunately faced with year-round. While each October we celebrate National Cybersecurity Awareness month as a reminder to prioritize such initiatives, the cybersecurity industry should instead use this as a moment - and an opportunity - to consider what can, or needs to be done, to make organizations more secure every day. Whether that’s educating employees about the dangers of social engineering and phishing, using MFA whenever possible, avoiding password reuse and administrative privileges or implementing more fool-proof policies and procedures for employees, these changes must have a lasting impact to reduce the risk at home and in the workplace.
Despite headway this year with organizations working to achieve a stronger risk-based security posture all year round, a recent study from Ponemon Research found that there’s still ample work to be done. For example, 64% of security leaders believe the primary obstacle to implementing IT security risk management is a lack of standardized metrics to measure progress. Additionally, while 57% of organizations are prioritizing secure cloud migrations and another half are looking to implement Zero Trust, the majority are still held back by the lack of visibility. In short, most are still lacking operational efficiencies and actionable metrics that prevent them from detecting threats and making meaningful changes to their security posture. Constantly staying on top of security operations and visibility couldn’t be more critical in today’s landscape. Teams must be empowered with the right support, technology and resources to get the job done right."
+++++
Janer Gorohhov, Co-founder and Chief Product Officer, Veriff
"The accelerated digital transformation of companies around the world has led to an increase in fraud rates globally. To combat this increase in fraud and maintain trust and safety online, more organizations must leverage artificial intelligence tools to identify and stop bad actors in their tracks, saving companies money and protecting both their employees and customers."
+++++
Michael Khoo, Access Partnership's Senior Policy Manager in Asia
"Every member of an organization has a role to play in cybersecurity today. Just as governments are discussing on the “norms” or “rules” for international cybersecurity, so too do employees and employers need to develop the norms for the workplace to cultivate the right habits and hygiene. This can include simple rules such as not leaving written passwords lying around (or even having them in written form) and keeping software and operating systems regularly patched and updated (please stop fighting your IT department and delaying scheduled server updates!) Good cybersecurity isn’t just the responsibility of the IT department any longer, and all of us play a part in contributing to a safer work environment. These norms should also extend beyond the workplace as digitalization becomes a part of all aspects of our lives as we begin to normalize good cyber habits wherever and whatever we do."
+++++
Robert Prigge, CEO of Jumio
"The amount of large-scale cybersecurity breaches we've witnessed in the last year highlights just how creative cybercriminals will get to steal sensitive data and sell it on the dark web. The number of reported identity theft cases more than doubled from 2019 to 2020, while the number of reported data breaches escalated 38% from the first to second half of 2021. With traditional online verification tools such as knowledge-based authentication and passwords, organizations will continue to place consumers’ personal information at risk of being compromised.
Cybersecurity Awareness Month encourages security leaders and executive decision-makers to modernize their security practices in order to adapt to the increased sophistication of fraudsters. In today’s cybersecurity climate, organizations must move away from outdated, obsolete authentication methods and implement more advanced identity verification solutions, like face-based biometric authentication, that confirm online users are truly who they claim to be. This month is also important for educating consumers on how to safeguard their digital identity and manage personal data consent rights online. These best practices are crucial to keep data away from the hands of malicious actors."
+++++
Anurag Kahol, CTO and Cofounder of Bitglass
"From cloud misconfigurations exposing massive amounts of sensitive data online to ransomware attacks severely impacting critical infrastructure, this past year has underlined the inherent lack of proactive security across organizations of all sizes. As we move toward a new era of hybrid operations post-pandemic, the sophistication and frequency of cyberattacks will only continue to increase at an exponentially higher rate. Organizations must be prepared to face the evolving threat landscape to protect their employees, corporate infrastructure and sensitive data.
International Cybersecurity Awareness Month serves as a reminder for enterprises to make security a strategic imperative. A vigilant security posture starts with implementing a unified cloud security platform, like secure access service edge (SASE) and security service edge (SSE), that replaces various disjointed point products and extends consistent security to all sanctioned cloud resources, while following a Zero Trust framework to prevent unauthorized network access. Additionally, enforcing comprehensive cybersecurity training for all employees, hiring security experts and continuously monitoring and enhancing cybersecurity postures will ensure organizations are properly equipped to defend their modern operations."
+++++
Josh Rickard, Security Solutions Architect at Swimlane
"Cybersecurity Awareness Month serves as a timely reminder for companies to reevaluate their cybersecurity posture after a tumultuous year of cyberattacks across industries.
The dramatic spike in ransomware and supply chain attacks illustrates that every company, regardless of vertical, is a software company and security will only continue to rise in importance when it comes to ensuring the continued operations of the business.
To protect valuable information and prevent breaches, enterprises must invest in multi-faceted platforms that centralize and automate detection, response and investigation protocols. Security teams need full visibility into IT environments and the ability to respond in real-time to limit the consequences should a cyberattack occur.
By automating and centralizing security processes, organizations can reduce the chance of human error while achieving infinitely smoother execution of security-related tasks and ultimately ensuring that highly-sensitive personal information is kept safe and secure."
+++++
Karen Worstell, Senior Cybersecurity Strategist, VMware
"In the face of sophisticated, industrial-scale cyberattacks it is tempting to assume we need to build an arsenal of high-power cyber technology as a first priority. However, it truly starts with basic cyber hygiene as a foundational layer in order to establish effective advanced protection against hacks or breaches. Well-managed inventory and configurations, a clean baseline in identity and access management, engaging in regular patching and updates, and endpoint management all go a long way in building strong resilience into an organization's security posture. A foundation of cyber hygiene might not be the bright shiny cool project; however, it sets you up for success in your Zero Trust security journey. When security is built into a Cloud First strategy, getting the cyber hygiene done right is more manageable end-to-end. Zero Trust is not just buzz - it is possible today."
Tom Kellermann, Head of Cybersecurity Strategy, VMware
"By empowering CISOs, we can help relieve some of the burnout felt by their security teams. Elevating the CISO’s role within an organization will help to better ensure cybersecurity measures are appropriately prioritized and that the team leading those measures has the necessary resources and support to combat burnout and build resilience."
Rick McElroy, Principal Cybersecurity Strategist, VMware
"Adopting a cybersecurity-first mindset can be intimidating, but it doesn’t have to be. A good first step is to implement practices such as weekly threat hunting within employee devices to detect behavioral abnormalities. As we enter the era of the hybrid workforce, remind employees to remain cyber vigilant on their own home networks and keep up with software and app updates that might include security enhancements."
+++++
Jason Stirland, CTO at DeltaNet International
"Research from Verizon revealed that 36% of data breaches involved phishing, 11% more than last year and 85% of breaches involved human error. With phishing attacks continuing to escalate, organizations must prioritize training employees on awareness basics, such as how to spot a phishing email. Employees should be able to recognize phishing emails using simple techniques to strengthen the organization's cybersecurity resilience. This might include checking the email address of the sender, looking out for spelling and grammatical errors within the email, and hovering over suspicious links or attachments. These are all prime methods for detecting a phishing email.
Cybersecurity Awareness Month is an ideal time to refresh employees with cybersecurity awareness training. After all, refreshing training ensures employees stay aware about new cybersecurity risks, e.g. this year, credential harvesting and smishing have been popular phishing techniques to watch out for.
Businesses might also wish to test the effectiveness of their cybersecurity awareness training using simulated phishing emails. This technique allows security teams to distinguish if there are any skills gaps and deploy follow-up training where it’s needed most to protect the business."
##