The 19th annual Cybersecurity Awareness Month has officially kicked off this October.
Created by the Cybersecurity & Infrastructure Security Agency, the
holiday's aim is to raise awareness about the importance of
cybersecurity globally, ensuring that everyone has the resources they need
to be more secure digitally and safer and more secure online.
The theme this year is: "It's Easy to Stay Safe Online - See Yourself in Cyber," and focuses on actions everyone can take to improve security - some of which are directly about identity. And while it's important to
recognize the significance of implementing security measures to keep digital
assets secure during awareness month, it's also vital year-round.
Below, several technology leaders have reflected on
what Cybersecurity Awareness Month means to the industry, and the necessity for
businesses to implement a strong cybersecurity strategy.
##
Matt Holland,
Co-founder and CEO of Field Effect
Despite all
of the cyber security tools, categories and offerings on the market, businesses
of all sizes continue to be underprotected. They feel overwhelmed and forced
into solutions well outside of their areas of expertise. At Field Effect, we
work with our customers and partners to provide a solution that is holistic in
nature; designed to identify vulnerabilities and stop threats across the
breadth of the network, cloud services and endpoints; and delivered in a way
that removes the noise and complexity and relieves our clients' burdens.
+++
Jan Bondoc, VP
of Information Technology, ioXt Alliance
The lack of
cybersecurity standards within the Internet of Things industry isn't shocking,
yet, given the rate at which we're all acquiring devices-25.4 billion by
2030-coupled with the jaw-dropping rise in cyberattacks, this dire situation
poses a somber security risk, targeting both consumers and enterprises.
Unsecured connected devices and mobile applications pose catastrophic-level
consequences without global, synchronized security standards in place. Hackers
have evolved with the technology, tapping IoT devices to prey on enterprises
and critical infrastructure. Unless we collectively agree to thwart cybercrime
by implementing standardized solutions industrywide, holding companies
accountable to those standards, the hackers will continue to have the upper
hand.
+++
Filip Verreth,
VP Product Management, eSign Solutions for Nitro
Digitally signing documents is becoming the standard practice
these days. However, a substantial number of signatures are still not encrypted.
Cybersecurity threats are rising, and organizations need to ensure they are
taking the proper precautions to protect themselves from risk. Creating safe,
secure, and compliant workflows should be a top priority for business
leaders. A question that commonly arises is how businesses can do this
without compromising experience. Well, a strategic approach is
required. Digital identity should be at the core of any data-driven
business. Making identification and authentication a critical component of
business activities can hold the key to a more secure future, while delivering
on customer experience. Cybersecurity Awareness Month is a great opportunity to
highlight the role we can all play in making the internet a safer place.
+++
Adrianus Warmenhoven, Defensive Strategist at NordVPN
While
protecting your data may seem like a lofty task, there are steps to be taken to
maintain control over your information, especially this Cyber Security Month.
With the understanding that humans rely on the internet, and it is what keeps
our day-to-day moving, we must look not at how to avoid information-sharing,
but rather at how to maintain safety in doing so. Adrianus Warmenhoven,
defensive strategist at NordVPN shares, "I do acknowledge that anything that
preserves privacy can be abused for crime, but since our lives have become so
intertwined with the network, we must try to help people to live the lives they
want or in some cases even need." As such, the importance of VPNs and secure
browsers are emphasized this month.
In
order to stay cyber-safe this and every month, a VPN provides some simple steps
you can take every day to preserve your privacy. When surfing the web, be
conscientious of fake websites and when downloading apps, never download from
third parties and always double check the source. Consistently check and reset
privacy settings on your phone to ensure you have your desired level of
sharing. Double-down on your data's security by browsing with a VPN to encrypt
your online activity and eliminate location tracking. With the current state of
technology, VPNs are a vital component in today's (digital) life. While we can
argue over security issues (‘all websites use TLS anyway!') or lawful
interception (‘I have nothing to hide!‘) there can be no argument over the need
for personal privacy. And remember, no device is hacker-proof. Be cognizant of
who and what you interact with online every day.
+++
Varun Talwar,
Co-Founder and Co-Creator, Tetrate
Companies need
to rethink where their perimeters are. They don't just include the front and
back doors anymore. They also include all the windows, side doors, and other
unknown vulnerabilities. In today's day and age, there is an increasing
importance to stay ahead of the cyber criminals and online vulnerabilities, and
ensure your data and information, especially when it is connected across
multiple apps, is secure.
+++
George
Axberg, VP of Data Protection, VAST Data
Ransomware is top of mind not just for IT professionals but also
in the boardroom. Budgets are being allocated to implement Vanguards to keep
bad actors out, and Zero Trust is being implemented for those within. That
said, the numbers still show that the threats are increasing at an alarming
rate. How we as stewards of our most critical assets, our data, react to an
event such as a Cyber Strike is tantamount to how we react to a Natural
Disaster. Processes need to be put in place to react swiftly in the event
of an attack. Part of that plan of resilience needs to be a repository worthy
of storing those digital assets and RESTORING said assets to a workable form.
For example, at VAST Data we provide a secure, resilient, high performance at
exabyte scale platform - one that is powered by unique and innovative all-flash
technology leveraging modern economics. When a negative event happens, our
clients know their data is there, secured, and they can retrieve it all in a
flash, up to 50x faster than traditional backup solutions.
+++
Tilo Weigandt, Co-Founder and COO of Vaultree
Education and communication are key in the
cybersecurity industry. Cybersecurity doesn't have to be complex and boring; it
can be educational and fun if approached from the right angle, which can take
away the fear of entering this space or diving deeper into a specific
topic.
What's important is to start with the basics and
learn the mechanics and dynamics of security measures and their counterparts.
But you don't even have to be an expert in, say, cryptography to make a sound
decision; there is no shame in taking advice. However, the abundance of vendors
in the space makes it difficult to cut through the noise and it can sometimes
seem overwhelming. So, sit down with experts and exchange thoughts and doubts,
be part of communities and talk about your pain points, and talk to selected
vendors to understand different approaches.
Always keep in mind: No matter what we do, data
breaches and leaks will always happen, so the essential second line of defense
- encryption - is crucial to any security plan. There are already vendors out
there offering solutions with which you can process, search and compute
always-encrypted data at scale, so that you can concentrate on your daily
business and fight other fires.
+++
George Waller, Co-Founder and EVP of Zerify
At Zerify, cybersecurity is
something we are constantly vigilant about and have been highly dedicated to
ensuring - and continually improving - for over two decades. While it's
more than a month-long focus in our eyes, we are glad cybersecurity is getting
the world's attention in a time when hybrid and remote work environments
support critical communications, and video conferencing takes place from
multiple locations and even multiple unknown devices. We hope that as the usage
of collaborative communications increases - and the world continues to rely on
video conferencing platforms- Cybersecurity Awareness Month will be a time to
hone in on greater capabilities to secure organizations, ensuring Zero Trust
across platforms, greatly reducing breaches and hacks and thwarting the efforts
of bad actors across the globe.
+++
Miles Hutchinson, Chief
Information Security Officer of Jumio
The cost of data breaches is
growing faster than ever before, with the average total cost of a data breach
reaching a staggering all-time high of $4.35M in 2022, according to
IBM.
The overwhelming amount of revenue lost and disruption from large-scale
cybersecurity breaches in the last year shows just how important it is for
organizations to modernize their security practices. In fact, 80% of
consumers would be more likely to engage with an organization online if they
had robust identity verification measures.
Cybersecurity Awareness Month encourages security leaders and executive decision-makers to
adapt their ways or working to address the increased sophistication of
fraudsters as well as the existing and emerging regulations in the
cybersecurity industry.
In today's cybersecurity
climate, organizations must move away from outdated, obsolete authentication
methods and implement more advanced identity verification solutions, like
face-based biometric authentication, which confirms online users are truly who
they claim to be. Traditional fraud
prevention and anti-money laundering (AML) methods lack the efficiency and
security that organizations need to protect their customers and corporate
assets.
Cybersecurity Awareness Month
is also important for educating consumers on how to safeguard their digital
identities and manage personal data consent rights online. These best practices
are crucial for helping people keep their data out of the hands of malicious
actors while also saving organizations millions of dollars in revenue.
+++
Sally Vincent, Senior Threat
Research Engineer at LogRhythm
Cybersecurity Awareness Month is a timely reminder for
organizations about the importance of effectively detecting and responding to
threats. According to VentureBeat, the number of cyberattacks in
2022 has increased by almost three million. Attacks against the healthcare and
government sectors have especially spiked this year, with threat
actors compromising organizations like the California Department of Justice,
the Dominican Republic's Instituto Agriculturo, CorrectHealth, the Behavioral
Health Group, and more. One of the reasons for the increase in cyberattacks is
staffing shortages.
According to Cybersecurity Ventures, the need for cybersecurity professionals has grown rapidly
since the pandemic, while the number of unfilled cybersecurity jobs has
grown worldwide from 2013 to 2021 by 350%. While the aftermath of the pandemic
has certainly impacted the cybersecurity industry, other factors - such as
professionals lacking the proper credentials - have challenged hiring
in the cybersecurity industry.
This year's Cybersecurity Awareness Month focuses on the people
that keep our industry running. It is essential for the right
people to take charge in strengthening their organizations' incident
response plans to efficiently mitigate the effects of a cyberattack. The right
people also need to ensure that their organizations implement password
hygiene, threat detection capabilities, and preventative and response controls.
With these changes, organizations can thwart malicious cyberactivity, have full
visibility into their IT environments, and ensure the day-to-day processes of
IT systems run without disruption.
+++
JP Perez-Etchegoyen, CTO of Onapsis
Cybersecurity Awareness Month
serves as a timely reminder for companies to reevaluate their cybersecurity
processes after a year of tumultuous cyberattacks and data breaches across
industries. Cybersecurity has continued to rise in importance throughout a year
plagued by ransomware and supply chain attacks as organizations of every size
and industry have realized the importance of preventing and protecting against
cyber threats.
Business continuity and brand
reputation hinge on an organization's ability to maximize the availability of
business-critical applications while embracing innovation and operationalizing
security and compliance. Protection of business-critical applications is
especially important as cybercriminals continue to identify and exploit
vulnerabilities. Vulnerabilities in these applications can lead to exposure and
end up in data potentially being stolen. During a recent study, Onapsis
Research Labs found that new, unprotected SAP applications provisioned in cloud
(IaaS) environments were discovered and attacked in less than three hours,
stressing the need to "shift left" and ensure new mission-critical applications
are provisioned securely from day one.
Enterprises must evaluate all
systems in their IT landscape for any cyber threats, including unpatched
systems, permissive access controls, insecure integrations, or misconfigured
services. Then, they should implement any necessary mitigations right away to
protect their mission-critical applications and business from sophisticated
cybercriminals. To guarantee that these applications are fully and effectively
protected, they must also leverage a business-critical application security
program in their overall cybersecurity strategy. This will allow them to reduce
the costs and risks associated with transformation so the business can achieve
its top-line growth initiatives.
+++
David Anteliz, Senior Technical Director at Skybox Security
This October, Cybersecurity Awareness Month serves as a reminder
that hope is on the horizon - despite how quickly threat actors are evolving.
According to Skybox Research Lab threat
intelligence, 20,175 new
vulnerabilities published in 2021, up from 18,341 in 2020. That's the most
vulnerabilities ever reported in a single year and the most significant
year-over-year increase since 2018. Initial research shows 2022 will result in
a significant uptick in vulnerabilities as well, particularly those impacting
critical infrastructure.
The world has seen the traditional cybersecurity approach built
on point products inadvertently created silos and dangerous gaps in visibility.
Attackers know that many organizations are behind on patching and still rely on
traditional approaches to vulnerability management based on CVSS scores, so
they've learned to take advantage of vulnerabilities rated as less critical to
carry out their attacks (as noted by CISA).
Today, organizations must begin evolving toward a radically more
flexible security architecture. To improve overall cybersecurity effectiveness,
mature organizations are leveraging advanced risk-based prioritization, which
includes threat intelligence, asset information, and modeling to determine what
is truly exposed to an attack. In fact, nearly half of organizations with no breaches
in 2021 took a risk-based approach.
+++
Almog Apirion, Co-Founder and CEO of Cyolo
Cybersecurity Awareness Month serves as a timely reminder for
organizations to reevaluate their security posture to protect against
cyberattacks and data breaches across all industries. It all starts with
building a culture of security within IT departments to further protect against
attacks.
For me, a culture of security starts with the people, process, and
technology. While the processes and technology are important, they consistently
repeat the same tasks without variance. People, in this case -users- insert the
most variables and risk into the security architecture. To start with, there
are so many different types of users and even more roles. They each require
different approach and level of security, which prevents "one size fits all"
solutions. Today's businesses require employees, contactors, partners, and
vendors to keep the business running. Each of those people, and their
identities, bring a different level of risk to a company's business systems
& assets and they become the weakest link in any security strategy.
I recently read that half of organizations have users with more
access privileges than they need. I encourage security teams to spend time with
front-line users to understand their workflows. Understanding what they need to
do their jobs and the challenges created by security layers, will really help
better match access privileges with roles and protect critical business systems
and assets from unnecessary privileges. Considering the front-line users as a
part of your strategy, and encouraging the team to spend time with them, will
connect security with users in new and meaningful ways and remove friction from
the security process.
+++
Jon Davis, CISO of Oomnitza
Cybersecurity Awareness Month
serves as a timely reminder to organizations that in order to protect
themselves against risks posed by threat actors, they must reevaluate their
security posture.
Several cybersecurity trends
have emerged in 2022. Enterprise Technology Management (ETM) and Asset
Management are two of them.
Organizations have had to
reevaluate how they handle and secure assets, first because of the pandemic and
then because of the Great Resignation.
Companies are unprepared to
handle a data breach for a variety of reasons, including a lack of visibility
into how or where the breach occurred. Companies are now using a modern
approach to technology management to identify and close gaps in security
enforcement. Through this process, organizations can establish who is using the
device, what they are accessing, and where they are. In fact, through an
Enterprise Technology Management strategy, they ensure that all devices are
encrypted, virus and malware protected, and backed up. It will connect
everything back to individual users, departments, and workflows as well as
identify lost or stolen devices quickly and disable their access and security
rights.
The sophistication of the
technology necessary to manage technology has increased in tandem with the
complexity of managing technology. Some of the most forward-thinking companies
are integrating the capacity to manage the whole IT portfolio from a single
integrated view during the full duration of their lifecycle.
Thanks to the "Great
Resignation," many former employees have continued access to company data.
This is both a security concern and a potential financial liability for
businesses. Furthermore, there are varying levels of access depending on who
you are (or were) in the company. Access control isn't just about employees; it
is used to manage processes that generate critical and massive amounts of data
and is used to collect asset information with certifying and tracking
technology as these assets enter the enterprise ecosystem. Access control not
only simplifies security but also gives procurement leverage.
+++
Ryan Slaney, Threat Researcher at SecurityScorecard
From nation-state threat actors to typical cybercriminals,
today's businesses are facing a multitude of cybersecurity threats. At the same
time, many organizations struggle to maintain a robust cyber hygiene posture
because they have not yet shifted to a holistic approach to risk - one that
combines a 360º view of the attack surface with the ability to communicate risk
meaningfully and respond effectively. This is critical for business success in
today's cybersecurity threat landscape. Organizations that are slow to respond
to a security incident can face immediate consequences like lost revenue and
customer confidence.
Cybersecurity Awareness Month is an excellent opportunity
for organizations to take a strategic pause and assess their understanding of
the cybersecurity threats they face. This is fundamental to ensuring
resiliency. CISA's 2022 campaign theme, "See Yourself in Cyber," shines the
spotlight on the "people" part of cybersecurity. It's a great reminder that at
the core of cyber resilience lies collaboration. Inside every organization,
multiple groups including security, legal, and business operations, must join
hands to create clear, data-driven security strategies, appoint the right
people and follow informed business practices.
Security teams should use this time to evaluate their
strategy and seek out ways to gain visibility into critical supply chain risks,
monitor third-parties' cybersecurity postures, and reduce the threat of
attacks. Boards of directors and executives should also take this time to
evaluate the unique risks their business faces and become more involved with
cybersecurity. Seeking out tools that help security and business leaders
understand cyber risks in dollars is a great start on this journey because it
ensures the entire organization can gain a comprehensive view of cyber risks
via a universally understood metric.
At a larger scale, advancements in cybersecurity require the
private sector to work together with the federal government to find new,
innovative ways to share intelligence and mitigate impact. Government and
industry-led initiatives need to continue developing platforms and standards
that help organizations gather, identify and share sources of threat
intelligence.
+++
Deepak Mohan, data protection expert and EVP at Veritas
Cybersecurity Awareness Month shines a spotlight on the gap in cyber talent and skills, a pressing issue facing the enterprise. As the threat of cyberattacks increases, so does the number of additional professionals that organizations need to defend their data. According to Veritas research, respondents believe their organization would need to hire 27 full-time employees to address growing vulnerabilities. Additionally, on top of a 2.72 million person gap today, Forrester predicts that one in 10 experienced security professionals will exit the industry in 2022, causing that gap to grow. The shortage in cyber talent is also causing current IT administrators to feel overworked and underappreciated, which is threatening employee retention and furthering the talent gap.
There are two things enterprise CIOs should do right away to support their IT administrators amidst a shortage in talent and heightened cybersecurity incidents:
- Take control of their multi-cloud infrastructure by allocating a higher percentage of budget to support cyber resiliency and security programs with tools, training and additional personnel. CIOs can’t assume that Cloud Service Providers are automatically securing their organization’s data in the cloud. They need to take the necessary steps to ensure they have the right data protection and resiliency infrastructure in place to prevent cyber incidents and protect the organization.
- Ensure the IT organization is staging regular drills to simulate and plan for potential scenarios involving cyber attacks. Doing so will help IT administrators feel confident in their ability to recover on premise, SaaS applications and cloud systems in the event of a complete failure by regularly testing their backup systems. Preparing for the various types of cyber incidents and understanding roles and assignments ahead of time will help ease the burden of IT administrators.
+++
Cory Cline, Senior Cybersecurity Consultant, nVisium
Multi-factor authentication (MFA) is only as good as the training behind it, especially with push-based MFA. For push-based MFA, employees must be trained to be extremely cautious of any unexpected requests. Otherwise, if the user approves a MFA push prompt without a second thought, then push-based MFA would lose its purpose.
When it comes to passwords, length over complexity should be emphasized. If users are forced to use symbols and numbers, there could be an overwhelming amount of "[basic word]1!" passwords. On the other hand, if users are enforced on length without complexity, passwords become far more difficult to attack from a practical perspective. Password managers should be used by end users and requiring like 20+ character passwords could be a great way to nudge them in that direction.
Avoiding phishing scams is as much an art as it is a science. Users must be wary of: grammatical errors, small differences in email headers, and misspelled domains for links within an email. This way, users can be properly protected against email-based phishing. However, phishing extends beyond email. People should be wary of discussing private matters with anybody, in any context that they did not initiate. For example, if a credit card company calls to discuss potential fraudulent charges, it would be wise to thank them, hang up, and call the number on the back of your card itself. Attackers generally have no regards of ethics or shame and are willing to attack through any weak points in people's emotions. For example, many parents would instantly fully cooperate if it is an emergency situation pertaining to their child. When it comes to securely interacting in the world, paranoia may be a blessing as all interactions should be filtered through a lens of suspicion.
Mark Moses, Director of Client Engagement, nVisium
Ultimately, most cybersecurity incidents boil down to people. Specifically, people who have become complacent or careless interacting with people who have chosen to be threat actors for profit or pride. As cybersecurity professionals, we must always be pushing for greater attention and awareness to our code bases, configurations, and communities. Code must be tightened, checked, and reviewed for security flaws as part of the life cycle at a minimum. Likewise, our cloud, container, cryptographic, software, and server configurations must be regularly reviewed. Finally, our communities of developers, administrators, and end-users need nearly constant reminders to avoid becoming complacent, and therefore careless about the security threats. Each time we review code and configuration, it should be with the thought firmly in mind that missing something, leaving a doorway, can be catastrophic. It’s the people who write and review the code, the people who manage configurations, and the people who are utilizing these platforms and tools. People are ultimately the solution.
+++
Jeremy Chung, Sales Engineer Lead, SPHERE
I love this theme of “See Yourself in Cyber”!
The secret behind the modern hacker’s success isn’t the hours of genius poured into writing a new virus. It’s the 5-minute social engineering call they made to circumvent the billion-dollar industry trying to stop them from walking in.
Those committed to breaching the most sophisticated and modern cybersecurity technologies don’t try to beat technology, that’s too hard and takes too long. They go for the most common and weakest link: us. “We the people” are the weakest link in the security chain so WE must stay diligent in ensuring security stays top of mind, not just online, but everywhere.
Stay safe, stay secure. Enable multi-factor.
+++
Andrea Bailiff-Gush, Director of Product Marketing at AppOmni
Businesses and enterprises are rapidly transitioning their tech stacks to SaaS. But unfortunately, increased SaaS adoption coupled with inadequate SaaS security investments can leave sensitive data vulnerable to breaches.
To reduce the likelihood of data exposure and breaches, start by treating SaaS - and SaaS security - the same as any other type of technology that houses sensitive data. For example, assign ownership of SaaS security to an internal team charged with understanding who has access to what data. Far too often, we find there is no team or role specifically responsible for SaaS security.
This team should also help employees and contractors remain vigilant in thwarting social engineering ploys. Robust, continuous user education is critical. Security training should cover essentials such as:
- Checking and double checking the URL of any site requesting login credentials.
- Never clicking on any URL from a questionable source.
- Changing passwords immediately if an employee suspects their user credentials have been compromised.
We recommend complementing user education with SaaS threat detection and continuous monitoring technology to reduce the odds of a breach. Using tools to automatically identify incorrectly assigned administrative or other highly privileged roles will help your Security team prevent configuration drift, severely limiting the scope of what an attacker could accomplish if they gained unauthorized access. Comprehensive activity monitoring and threat detection can identify common and new attack patterns to alert your Security organization of suspicious activity.
With proper security procedures and investments, SaaS can become one of the least vulnerable parts of an enterprise tech stack. We strongly endorse the transition to SaaS technologies due to benefits like fast implementation, low upfront costs, extensibility, and scalable functionality for distributed teams. But organizations relying on SaaS must also remain committed to securely managing configurations, usage, and data access within their SaaS environments.
+++
Nikhil Gupta, Co-Founder and CEO at ArmorCode
If recent history has taught us anything, updating software is more important today than ever before, especially as zero-day vulnerabilities continue to be discovered at a rapidly increasing rate.
However, the challenge exists in finding all of the specific instances where updates need to be made, as businesses don’t track every single line of code that goes into every single application, especially years after an organization has already been using an application. In order to find the vulnerable code, they must often scan thousands of repositories (even those that are inactive and could be disregarded). That’s because repositories are created in software, but they aren’t actually deleted–much like finding a bunch of old screenshots or unwanted pictures in your phone's camera roll, making it seem like there is much more to sort through than is necessary. The only real way to address this daunting task is automation. If businesses aren't adopting automation now, they aren't doing what they need to do to protect themselves against the next zero-day attack.
+++
Craig McDonald, VP of Product Management at BackBox
Cybersecurity Awareness Month presents a timely reminder for organizations to reassess their cybersecurity priorities to protect themselves from the ongoing increase in threats to technology and confidential data. Threat actors continue to target commercial organizations and government institutions far and wide. Recently, major gaming platforms have fallen subject to hackers, and healthcare organizations have suffered from alarming ransomware attacks that compromised patient safety. Ensuring cybersecurity remains paramount and is critical for organizations of all sizes.
This year’s Cybersecurity Awareness Month focuses on the people that keep this industry running. This year’s focus is especially important given today’s landscape of more cyberattacks and less people to help prevent them. Globally, the need to protect network security is of utmost importance to ensure organizations remain protected against cybercrime. Keeping networks up to date through practical automation simplifies the multifaceted processes of recovering from cyber attacks.
It is of the upmost importance that the right people implement regular backup and recovery plans to provide organizations with the ability to continuously mitigate their likelihood of falling victim to malicious cyber activity. Automating network security processes eliminates the risk of human error, improving network security posture while providing service providers and consumers alike much-needed peace of mind in the hybrid multi-cloud era.
+++
Matt Warner, CTO and Co-Founder, Blumira
Businesses should invest in products that improve security maturity over time, rather than taking a “more is better” mindset and layering on shiny new security tools. In particular, small and mid-sized businesses (SMBs) should prioritize implementing tools that increase efficiency for small, busy, or overworked IT or security teams—rather than using solutions that generate noisy alerts triggered by known safe activity—so small teams can focus their attention on legitimate threats for faster time to resolution. Alert fatigue can lead to burnout and cause IT teams to miss critical alerts, which can create dangerous security gaps. Investing in solutions that meet an organization’s needs, and fit within their available budget and resources, is key to preventing and mitigating cybersecurity breaches and ransomware attacks.
+++
Tracy Hillstrom, Vice President, Content Experience and Strategy, WatchGuard Technologies
At this point, the evidence is clear: password-only authentication isn’t just inadequate, it’s downright hazardous. With more than 40% of breaches involving stolen credentials and the number of stolen credentials available on the dark web exceeding 24 billion, multifactor authentication (MFA) isn’t optional any longer. Compared to the cost and negative business impact of a data breach or ransomware attack, MFA is incredibly affordable and easily worth the effort of implementation.
At a minimum, organizations should require MFA for access to critical data and the management of network resources. But since many attacks start with an unprivileged user (e.g., a receptionist or someone in customer support) and then pivot to gain more access, implementing MFA organization-wide is a far safer strategy.
##