This October is Cybersecurity Awareness Month, a month dedicated to keeping individuals and companies
safe online as threats become increasingly widespread. This year's theme, "See
Yourself in Cyber," emphasizes the human aspect of cybersecurity.
We've continued to see uses
cybercriminals target organizations with strengthened ransomware and encryption
methods, and in some cases, we've witnessed security vulnerabilities
highlighted in surprising breaches. While no one solution or tip can stop all
attacks or adversaries, companies and their consumers alike can keep specific
practical advice at the forefront of their thoughts. Together, we can chip away
at cybercriminals' success.
These cybersecurity experts
have provided their own insight and advice on how companies can navigate an
aggressive cyber climate while safeguarding customer data.
Gal Helemski, CTO and
co-founder, PlainID:
"Adversaries have become
increasingly effective in their phishing campaigns as of late, and thus this
National Cybersecurity Awareness Month, it is critical that organizations
reinforce all security infrastructure. When an internal breach occurs where
networks are compromised, identity remains the priority challenge.
Organizations must adopt a "Zero Trust" approach, which means trusting no one
to begin with - and revalidating the identity is approved for access at every
stage, based on context.
Building a strong defense is
fantastic and much recommended as a layer for staying protected against
adversaries. However, once a user is compromised, especially one with
administrative credentials, they are already in your network and limiting
movement is key to avoiding continental damage and risk. This month,
organizations should focus on educating against phishing attempts and investing
in an identity-first approach as a fundamental concept for cyber security
defense."
Aaron Sandeen, CEO and
co-founder, Cyber Security Works:
"Ransomware and other
cyberattacks have been used in a variety of ways throughout the year,
underscoring the attackers' growing technological sophistication and the threat
to businesses throughout the globe. Seemingly enough, cyber-attacking groups
are typically successful when they are one step ahead and can exploit system
flaws. This Cybersecurity Awareness month, IT leaders must challenge themselves
to expand their cybersecurity visibility of known and unknown assets.
The way for corporations to
prevent cyberattacks is through proactive defense. There are
already 13 CISA-known exploitable vulnerabilities that need patching by the end
of October 2022. One of the steps that
businesses can take to avert disaster is to patch the vulnerabilities that
threat groups and attackers exploit. Understanding how vulnerable you are to
ransomware attacks and monitoring your security posture through continual
vulnerability management and proactive penetration testing is essential to
fortifying your defenses, especially when new hacking organizations
arise."
Konrad Fellmann, CISO and VP
of IT infrastructure, Cubic Corporation:
"We are living in a time where
every person and business is vulnerable to cyber threats. Mass transit agencies
are no exception-in fact, they are appealing targets simply because, as part of
the critical infrastructure, they help U.S. commerce and cities to run. If a
transit agency is shut down and we can't move people or goods, the criminals
claim victory.
Another top goal for malicious
hacks on transit agencies is getting a ransom paid. This is why we consider
ransomware to be a significant threat. It's also why we've seen cyber liability
premiums rise nearly 300 to 400% over the past couple years. The good news is,
while most transit agencies already had some cybersecurity measures in place,
the new regulations put forth by the TSA are helping to further establish a
standard for security in the transit sector. Additionally, programs like
National Cybersecurity Awareness Month are effective at helping to educate
everyone on proactive measures for preventing breaches.
To that end, Cubic's number one
priority is maintaining the trust, security and privacy of our customers, their
patrons and data. We are very focused on ensuring data protection and supporting
the use of security best practices across everything we do. For example, we
certify to industry standards such as the Payment Card Industry Data Security
Standard (PCI-DSS) and ISO 27001 in order to ensure and verify the effective
implementation of strong security controls. We also maintain close working
relationships with multiple cyber industry associations and government agencies
to stay aware of ongoing trends and gather threat intelligence to continually
improve our security posture."
Arti Raman, CEO &
founder, Titaniam:
"It is our jobs as
cybersecurity professionals to have everyday processes and systems in place and
running smoothly so that our data remains secure. However as hard as we work,
bad actors work just as hard and are constantly trying to beat the systems and
processes put into place.
In honor of National
Cybersecurity Awareness Month, I want to highlight how the human element of
cybersecurity is often overlooked. The human piece is thought of as a weak link
in every enterprise's security posture, and while it may be true, it can also
be a source of power. If we put ourselves in the shoes of others, we can take a
moment and reflect on how we would react and respond. When it comes to any of
these breaches we have seen recently, it is important to extend empathy to all
those involved, and not blame, but rather come together on how we can build
stronger protections and alliances against these cyber criminals."
Richard Barreto, CISO, Progress:
"Strong and unique passwords
are first-in-line in any organization's defense to a network compromise or data
breach. Three-quarters of Americans are frustrated with the overwhelming number
of passwords they need to remember, and the average user has more than 90
online accounts that require credentials. Furthermore, developers are also
responsible for maintaining secret keys. To avoid the impact of compromised
credentials, it is imperative security teams provide employees and development
teams resources to "self-serve" the set-up of a password manager and highlight
the benefits of using one. A password manager can help users identify a spoofed
website (they will only auto-fill a password to a site's URL it recognizes) and
is a great selling point to many employees. Lastly, if your organization's
budget allows it, prioritizing an enterprise license for employee use is a
great ROI in defending your first line.
Similarly, many recent
high-profile breaches have been the result of successful phishing attacks or
the malicious use of multi-factor authentication (MFA). Things like preparing
employees with how to handle MFA fatigue or deploying a phishing simulation
program are easy ways to keep your teams engaged and alert. To initiate
measurable change within your organization, training and communication efforts
should be consistent and not only focus on behaviors for employees to follow at
work but also help protect them at home too. Employees who are more conscious
of security best practices in their personal lives will exercise those same
precautions at work. Finally, one of the most important actions every
organization can take is to create a culture where reporting security concerns
is encouraged and praised."
Raffael Marty, EVP and GM of
Cybersecurity, ConnectWise:
"The workplace has undergone an
evolution in recent years. The added complexities of new technologies such as
BYOD and the continued penetration and adoption of SaaS applications, combined
with the overnight shift to work-from-home practices and constantly changing
regulations, have left many businesses struggling to keep up. All the while,
the increased threat of cybersecurity attacks looms over businesses, with over three-quarters of Small
and Medium-sized Businesses (SMBs) reporting that they have been impacted by at
least one cyber attack in 2021.
Having solid cyber security
policies is critical for all organizations in today's digital age. For SMBs who
lack the expertise and resources in-house to defend themselves against threats,
the risks can be difficult to manage. Gone are the days when SMBs were
considered "immune" to cyberattacks. For these organizations,
partnering with a Managed Service Provider (MSP) makes it possible to protect
their systems and data from an attack.
No matter the security products
and services a business consumes, there are four cost-effective elements that
every business needs to implement to ensure success:
1.
Incident
preparedness: It's not if but when
an attack will occur. Being prepared for possible incident is key. The
ability to swiftly react to an incident can make a significant difference to
business operations. Understanding points of contact, process owners, and
decision-makers in the case of an incident will assist in quickly containing a
threat and bringing the business back operational.
2.
Patch
management: Patch management may seem
complicated, but it really isn't. Whether done manually or with a solution,
software updates and patches should be promptly installed - not just on laptops
and servers but also on firewalls and other network devices such as routers,
APs, and office equipment.
3.
Password
hygiene: Whilst often taken for granted,
passwords are the first line of defense against malicious activities in the
digital space. Using different passwords for different sites and services,
regularly changing passwords, and implementing Multi-factor authentication
(MFA) where possible, is key.
4.
Backups: To have and to test from this day forward. Not only do
organizations need to test their backups regularly to ensure they work, but
they should also be stored offline on a regular basis."
Christopher Rogers,
technology evangelist at Zerto, a Hewlett
Packard Enterprise company:
"A lot has changed in the 19
years since October was first recognized as National Cybersecurity Awareness
Month (NCSAM). With the risk of ransomware attacks now greater than ever
before, the significance of cybersecurity protocols - for both organizations
and individuals - cannot be overstated. This Cybersecurity Awareness Month
offers the opportunity to examine our own internet security habits and ensure
that the correct infrastructures are in place to handle the ever-present threat
of a cybersecurity attack.
However, now that the question
of a cyber attack is not if, but when, organizations must be prepared for not
only the attack itself but also, arguably, more importantly, the recovery.
Businesses need backup and disaster recovery plans that ensure that they can
recover quickly and minimize disruption and data loss - limiting downtime and
restoring operations in a matter of seconds or minutes, rather than days or
weeks. When it comes to cybersecurity, protection alone is not enough,
and a recovery plan should be an essential part of every cyber strategy".
Jeff Sizemore, chief
governance officer at Egnyte:
"In today's hybrid work
environment, companies across business disciplines and industries are
navigating increased cyberattacks and rapidly-evolving data privacy regulations
amid explosions in data volume and usage. Unfortunately, many organizational
stakeholders do not understand how to properly secure and manage their
mission-critical data.
This Cybersecurity Awareness
Month and beyond, organizations should take proactive steps to enhance
cybersecurity, such as updating incident response plans, prioritizing
company-wide cybersecurity awareness training, and limiting access to critical
data on a ‘business need to know' basis. It's time that cybersecurity is no
longer considered to be an optional budget line-item. Cybersecurity is not just
something that highly regulated industries or critical infrastructure need to
be concerned with; today's environment has made this a necessity for all
organizations, no matter the size or tenure. By further educating employees and
executive management on the importance of data security and governance,
companies can be better protected against potential threats like
ransomware.
Finally, organizations should
put technology on their side to provide a single source of truth for all
structured and unstructured data. Not only does this enable secure file
collaboration, but it allows companies to better understand where their data
lives, how it's used, and who has access to it."
Surya Varanasi, CTO, StorCentric:
"As an IT professional,
CyberSecurity Awareness Month reminds us how critical it is to continuously
educate yourself and your workforce about the malicious techniques used by
cybercriminals, and how to practice proper cyber hygiene in order to decrease
potential vulnerabilities.
Today, the process of backing
up has become highly automated. But now, as ransomware and other malware
attacks continue to increase in severity and sophistication, we understand that
proper cyber hygiene must include protecting backed-up data by making it immutable
and by eliminating any way that data can be deleted or corrupted.
An Unbreakable Backup does
exactly that by creating an immutable, object-locked format, and then takes it
a step further by storing the admin keys in another location entirely for added
protection. Other key capabilities users should look for include policy-driven
data integrity checks that can scrub the data for faults, and auto-heals
without any user intervention. In addition, the solution should deliver high
availability with dual controllers and RAID-based protection that can provide
data access in the event of component failure. Recovery of data will also be
faster because RAID-protected disk arrays are able to read faster than they can
write. With an Unbreakable Backup solution that encompasses these capabilities,
users can ease their worry about their ability to recover - and redirect their
time and attention to activities that more directly impact the organization's
bottom-line objectives."
Brian Dunagan, vice
president of engineering, Retrospect, a
StorCentric Company:
"CyberSecurity Awareness Month is a great reminder that we
must remain vigilant and always be thinking about how to handle the next wave
of cyberattacks. While external bad actors, ransomware and other malware, are
the most common threats, malicious or even careless employee actions can also
present cybersecurity risks. In other words, it is virtually a given that at
some point most will suffer a failure, disaster or cyberattack. However, given
the world's economic and political climate, the customers I speak with are most
concerned about their ability to detect and recover from a malicious ransomware
attack.
My advice to these customers is
that beyond protection, organizations must be able to detect ransomware as
early as possible to stop the threat and ensure their ability to remediate and
recover. A backup solution that includes anomaly detection to identify changes
in an environment that warrants the attention of IT is a must. Administrators
must be able to tailor anomaly detection to their business's specific systems
and workflows, with capabilities such as customizable filtering and thresholds
for each of their backup policies. And, those anomalies must be immediately
reported to management, as well as aggregated for future ML/analyzing purposes.
The next step after detecting
the anomaly is providing the ability to recover in the event of a successful
ransomware attack. This is best accomplished with an immutable backup copy of
data (i.e., object locking) which makes certain that the data backup cannot be
altered or changed in any way."
Gunnar Peterson, CISO, Forter:
"In the cybersecurity world,
there is a quote that ‘defenders think in lists, attackers think in graphs.' It
means that an adversary's ability to find unexpected connections gives them the
upper hand over those defending the system. After all, attackers are known for
thinking outside of the box, which is why complex passwords and multi-factor
authentication (MFA) by themselves do not solve the rising data breach numbers.
To respond, defenders need to think differently.
National Cybersecurity
Awareness Month also coincides with Dyslexia Awareness Month. On the surface,
it may seem like the two aren't related. However, neurodiverse individuals are
a huge asset to security teams, bringing unique perspectives to problem-solving
and breaking the cycle of group think. Seeking out neurodiverse teammates in
hiring, and recognizing and building around their strengths can be a vital
asset to anticipating an adversary's moves and uncovering potential solutions
to problems before they arise.
This is a growing challenge for
certain organizations, and I hope this month is a wake-up call for security
managers to widen the aperture in ways of working and dismantle the systems
that are set up to develop and reward cookie-cutter operators. Neurodiversity
is a security strength and we should collectively work to foster a more
inclusive industry for everyone."
Kathryn Kun, director of
information security, Forter:
"The legend of the ‘skills gap'
has been permeating the cybersecurity industry for quite some time. More and
more technical leaders in the last few years have questioned whether or not it
exists. Research seems to say yes, with industry analysts predicting that the
digital skills gap will leave about 85 million jobs unfilled by
2030, but it doesn't paint a complete or accurate picture. In all actuality,
the skills gap is just a recruiting gap, where companies fail to look beyond
limiting job qualifications or the usual candidate pools to include individuals
with not-so-traditional backgrounds that could have given them desperately
needed skills.
In fact, my own path to
security was unorthodox. I have degrees in philosophy and chemical engineering;
and spent the majority of my early career without ever considering a role in
cybersecurity. But it's precisely the skills I mastered in these disciplines
that have helped me carve out a place in information security.
In honor of this year's
National Cybersecurity Awareness Month theme, ‘See Yourself in Cyber,' I would
like to encourage company leaders to think outside of the box and see how other
job roles such as librarians, educators, sales and communications
professionals, HR and civil service workers and more could fit into the
security field. Because as long as we keep hiring from a limited perspective
and one-size-fits-all resumes, we will continue to do the greater cybersecurity
industry a disservice. Examining what skills we need to hire for, and focusing
on where else we can find those skills will only strengthen our ability to
fight against adversaries."
Carl
D'Halluin, CTO, Datadobi:
"Orphaned
data, or data that lives in an organization's network but was created and owned
by a now deactivated employee, is a major problem that almost every enterprise
across all industries is facing. Holding onto data that isn't owned by anyone,
and that IT leaders have no visibility into, can introduce major risk to a
company because of the data's unknown content. This National Cybersecurity
Awareness Month, IT leaders should focus efforts on managing their unstructured
data to eliminate costly and risk-inducing orphaned data. We recommend that IT
teams look for an unstructured data management platform with key capabilities.
These include the ability to expose where orphaned data exists, search for and
tag all of this data, and then take action to migrate or delete all orphaned
data. With better visibility into and management of their data, organizations
can stay secure this October and beyond."
Richard Bird, chief security
officer, Traceable AI:
"Take a moment and consider how
you operate in your analog (IRL) life when it comes to security. You wouldn't
leave a notepad with all of your important personal data, alarm codes and
passwords in the middle of your yard. You wouldn't spread your tax returns or
health records out on the dining room table for all of your friends and
visitors to see. Take the conscious lessons about personal security that you
already know and do in real life and just simply apply that same level of
attention to your digital security."
Justin McCarthy, co-founder
and CTO, strongDM:
"The cybersecurity
industry is constantly competing to stay one step ahead of adversaries. If the
increased frequency of malicious hacks and breaches as of late teaches us
anything, it should be that there's risk associated with any use of
infrastructure credentials. After all, we're all human, and it's easy to make a
small mistake with potentially devastating consequences.
In honor of National
Cybersecurity Awareness Month, I would urge CISOs and other security leaders to
consider adopting modern security and access solutions that remove credentials
completely from the equation. Doing so can give security teams peace of mind
that login information can't end up in the wrong hands. It also allows
employees to focus on day-to-day tasks without worrying about potentially
exposing themselves and the company to undue risk."
Ralph Pisani, president, Exabeam:
"In honor of National Cybersecurity Awareness Month, I wanted to share a few
pieces of practical advice for organizations to reduce the risk of
credential-based attacks and minimize damage if they do occur:
- Every employee is a target.
Adversaries will often cast a wide net, so it's important that everyone
stay on guard and use complex passwords, recognize the signs of a phishing
scheme and practice good cyber hygiene.
- Assume a breach has happened. In all
actuality, your systems and employees have already been compromised; and
your credentials have been compromised, stolen, and likely resold for
future uses. What you need to do now is to detect these attacks at
speed to minimize the damage.
- You can't find abnormal until normal is
known first. Establish a baseline of normal user behavior. Using
behavioral detection analytics, you can understand patterns for every
user, device and peer group to uncover what is beyond legacy detection
capabilities.
Security teams are looking for
the needle in the haystack, rather than the haystack itself. Taking the time to
educate yourself about credential-based attacks and understanding normal user
and device behavior can go a long way in bolstering your organization's
security posture."
Amit Shaked, co-founder and
CEO, Laminar:
"In our multi-vendor,
multi-cloud world, it has become more challenging than ever for companies to
have visibility into where their data resides, who has access to what, and why.
This has caused more than one in two organizations to
experience a breach in the past two years, and thousands of sensitive data
files to be extorted and leaked on the Dark Web.
With October being National
Cybersecurity Awareness Month, I only have one question for security
leaders:
Do you know where your
sensitive data lives and do you have the tools and resources to manage
it?
To safeguard against a majority
of today's data breaches, organizations must have complete data observability
and adopt a data-centric approach to cloud security. After all, how can you
protect what you can't see? Prioritizing visibility helps security teams
understand where an organization's most sensitive data is, whether or not it
has proper controls in place, if it is being monitored or not and reduces the
risk of ‘shadow' (unknown or unmanaged) data."
MarKeith Allen, senior
vice president and managing director of mission driven organizations, Diligent:
"In 2022, collaboration tools
are more important than ever, however, we need to be sure that their security
is not neglected as our reliance on them grows. Collaborative technologies are
frequently used without restriction, creating shadow IT that enhances the
danger of internal leaks when access privileges and security regulations
weren't strictly adhered to or enforced. As employees navigate their new hybrid
or at-home working environments, a lack of consistently applied cybersecurity
practices can follow and possibly lead to bad outcomes.
Open communication
channels, such as Slack, messaging, and personal email, are excellent for
informally exchanging information, but they frequently lack the security or
access rights required for private discussions between executives, the board,
legal, HR, risk, and compliance departments. Organizations require secure
working conditions and workflows that enable them to transmit extremely
sensitive information without fear of it being unintentionally diverted,
forwarded, leaked, or even stolen. Additionally, the system must be
user-friendly and practical so that executives stick to its workflows and
procedures rather than straying to other systems and jeopardizing security.
These actions go a long way toward reducing insider threats if they are taken."
Rod Simmons, vice president of product strategy, Omada:
"With Cybersecurity Awareness Month upon us, it's a good time to reinforce that cybersecurity is truly a business enabler and needs to be treated as such. Much grumbling is made about cybersecurity as a blocker for companies. However, the inverse is often true. Companies should stop blaming security for slowing business operations and embrace the longtail positive effects of strong security. To build a strong culture, companies should look to cybersecurity tools that inherently bake in policies and processes that foster secure business practices."
Ricardo Amper, Founder and CEO, Incode:
"Biometrics are increasingly being used across sectors to optimize security. As biometric data is directly tied to an individual, credentials are not easily compromised, providing a secure layer of protection for people's sensitive data. For example, the face can be used at all times, in all places, and in all types of transactions as a pass key. In 2023, sectors from fintech to healthcare, sports to tourism will increasingly turn to biometric digital identity verification for high security, reliability, and speed to strengthen security. Biometrics will revolutionize the way we interact with institutions and companies to make our daily lives easier and safer."
Dave Burton, CMO, Dig Security:
"The modern data security landscape, with the number and variety of data assets per organization exploding, calls for new protection strategies. Solutions built for specific clouds and data types do not suffice as more and more businesses use multiple clouds. To keep up with emerging threats and secure their critical data, businesses need a solution that can cover any cloud and any data store. New technology like data security posture management (DSPM) is a great start to assess static risks and security posture, but real-time detection and response has become essential to actively protect sensitive data from a breach."
Craig Lurey, CTO and Co-Founder, Keeper Security:
"The COVID-19 pandemic ushered in a new era of remote and hybrid work, and with it, an explosion of cloud technologies in the workplace. Now, organizational data is distributed with more endpoints than ever before. At Keeper Security, we recently surveyed business leaders in the U.S. to get their take on key cybersecurity issues, and found that only 32% have plans to adopt a zero-trust and zero-knowledge security approach. This stat is alarming, as zero trust is the only realistic framework for securing modern, cloud-based data environments and distributed workforces. To achieve security, organizations must implement a cybersecurity platform that provides full visibility, security and control across their entire data environment."
Jasmine Henry, Field Security Director, JupiterOne:
"CISOs face an uphill battle in attracting and retaining enough cybersecurity talent. One potential solution is to focus more on vocational education. While bachelor's and master's degree holders serve as the foundation of most enterprise security organizations, many roles, including thousands of open cybersecurity positions — are more vocational in nature. Students who complete cybersecurity training in vocational schools fully immerse themselves in their studies and the field and can enter the workforce within two years or less. Vocational training has the potential to be transformative and critical in addressing the cybersecurity skills shortage.
Established professionals in the field should encourage this trend by identifying roles within their organization that this type of education can fill and then adapt their hiring practices accordingly. They can also work with cybersecurity-focused vocational training and education programs to ensure success. This way, they can provide career opportunities to a diverse group of people while also developing desperately needed talent to protect our digital ecosystem."
##