Virtualization Technology News and Information
Article
RSS
Cybersecurity Awareness Month 2023: Industry Experts Share Their Thoughts

NCSAM 

National Cybersecurity Awareness Month (NCSAM) is an annual campaign held in October to raise awareness about the importance of cybersecurity and to encourage individuals and organizations to take steps to protect themselves from cyber threats.

This year's NCSAM theme is "It's easy to stay safe online." This theme reminds internet users that there are plenty of simple ways to keep personal information and private data secure when browsing and using the internet.

To celebrate NCSAM and to help our readers learn more about the latest cybersecurity trends and threats, we have reached out to a number of industry experts to get their thoughts on the upcoming campaign.

In this article, we will share the insights of these experts on a variety of cybersecurity topics, including:

  • The most important cybersecurity threats to be aware of in 2023
  • Tips for staying safe online
  • How to protect your organization from cyberattacks
  • The future of cybersecurity

We hope that this article will help you to learn more about cybersecurity and to take steps to protect yourself and your organization from cyber threats.

++

David Bennett, CEO, Object First

"This October marks the 20th annual Cybersecurity Awareness Month, and it's arguably more important than ever. Ransomware operations are set to reach the second highest yearly profits ever recorded in 2023, according to the Department of Homeland Security. Therefore, it should come as no surprise that Gartner predicts that by 2028, 100% of storage products will include cyber storage capabilities focused on active defense beyond recovery, up from just 10% in early 2023. Immutable S3 Object storage, technology which prevents data from being altered or corrupted once on the backup storage device, will be an essential part of this movement."

Tony Liau, VP Product, Object First

"Every year for Cybersecurity Awareness Month, it seems there’s a new and more concerning variant of cyberattack to be discussed. This year, I’m particularly keeping an eye on acoustic attacks, a new threat that taps into our microphones and uses machine learning to guess our keystrokes just by listening. Researchers have found these models to be 95% accurate, providing attackers with passwords and insights into sensitive discussions and data, which can then be used by cybercriminals to launch malicious attacks such as ransomware. This stealthy new attack emphasizes the importance of making sure primary AND backup data is properly secured so that it is available for restoration at any point – because threats such as ransomware aren’t slowing down any time soon."

++

Dave Russell, VP of Enterprise Strategy, Veeam Software
 
"Cybersecurity is only the tip of the iceberg in today’s fractured and exposed attack landscape. It’s incredibly important that IT leaders are thinking full circle with regards to ransomware response and recovery because that’s where the industry is currently dropping the ball.
 
“Though we’ve been recognizing Cybersecurity Awareness Month for 20 years now, we have yet to close the gap between awareness and actual prevention. I would love to see the industry shift from simple awareness to sharing concrete, tangible steps toward a holistic cyber resiliency strategy.
 
By focusing on steps like patching a new system every week and testing backups during the month of October (and beyond) we can make actual strides forward in the fight against ransomware."

Rick Vanover, Sr. Director of Product Strategy, Veeam Software
 
"Awareness is the most important part of Cybersecurity Awareness Month. IT decision makers, IT administrators and more need to be keenly aware of legitimate cybersecurity intelligence so that they can be equipped to respond well to whatever comes their way. Ransomware, phishing, supply chain attacks, insider threats and more top of mind problems coupled with advanced behaviors underscore the need for awareness of the threats at hand today. From MITRE ATT&CK to the next new hack, it’s everyone’s role to stay informed and manage threat intelligence well with a focus on the preparation to respond. The ultimate goal with all of this in mind is to keep your data out of reach from the threats."

++

Martin Zugec, Technical Solutions Director, Bitdefender
 
"What we are seeing is threat actors stepping up their attacks on vulnerability exploits. In the Bitdefender 2023 Cybersecurity Assessment report, global respondents for the first-time listed software vulnerabilities and zero days attacks as their primary cybersecurity concern, surpassing phishing and social engineering attacks. This recognition is a good sign, as we've observed threat actors increasingly targeting software vulnerabilities.
 
Ransomware-as-a-service (RaaS) affiliates and initial access brokers often need less than 24 hours to weaponize newly discovered vulnerabilities that impact popular software, build automated scanners that discover these vulnerable systems and implement backdoor access. After a system is compromised, attackers can wait weeks or months before they make their move.
 
This year's Cybersecurity Awareness Month should serve as a reminder that defense-in-depth remains a critical strategy. You need both traditional security (patch management) and the latest emerging solutions for detection and respond (XDR or MDR) to stop the well-funded and organized RaaS ecosystem."

++

Gene Fay, CEO of ThreatX

"While tech investments and developing cyberattack preparedness and response plans are something today’s organizations can’t afford to fall behind on, there’s another key piece of the puzzle: people. Amid today’s evolving threat landscape and in light of National Cybersecurity Awareness Month (NCSAM), all organizations must prioritize cyber education, training, organizational protocols, and communication to ensure everyone is aligned. A strong, people-first approach to cybersecurity ensures all stakeholders – not just security teams – have a seat at the table.
 
NCSAM makes the perfect time for organizations to rethink and reprioritize their current security processes. Cyber leaders must acknowledge that human error and social engineering often serve as entry points for cyber incidents, as we see growing phishing schemes impacting organizations, for example, which is a major theme of NCSAM’s 20th anniversary. With ‘staying safe online’ being the core of this year’s theme, getting ahead of these threats calls for leaders to lean in and adopt a human-centric approach by fostering a culture of security awareness.
 
Organizations should invest in comprehensive, engaging training regularly for all employees. Encouraging transparent communication about potential and existing threats is another critical area for leaders to create a security-first culture. A collective sense of responsibility for safeguarding sensitive data should also take priority, engraining best practices across all everyday tasks and processes. NCSAM also provides a great opportunity to develop stronger training and awareness programs internally."

++

Tyler Reguly, Senior Manager, Security R&D, at cybersecurity software and services provider Fortra

"I’m a bit of a broken record every year when Cybersecurity Awareness Month rolls around, but I’m going to repeat myself again this year. Turn on multi-factor authentication (MFA). MFA (sometimes called Two-Factor authentication (2FA)) adds a critical layer of security to all of your accounts. While passwords have their uses, MFA is what really keeps you safe. There are two types of MFA that I want to discuss. The type where you have an approved application that allows you to authorize login requests and the type where you are sent a code to type into the website. Some sites put so much faith in MFA, that you are prompted for an MFA response before your password. The downside to this approach is that you may get notices to approve login requests that you did not make. The most important part of MFA is that you only approve requests that you have made.

These days, most people who work in a corporate environment are familiar with MFA. That is because it is a critical aspect of enterprise security. If your enterprise security teams have decided that MFA makes the organization more safe, it only makes sense that you should employ it with all of your online interactions. It is common to see MFA in banking and email. However, other important places include social media, gaming, vendor websites, and anywhere else that you log in. While some would discourage the use of email-based or SMS-based MFA, and there are better options available, it is important to note that something is better than nothing and you should leverage whatever method of MFA the service makes available to you. Always utilize MFA alongside unique passwords for each website.

For parents, gaming is a great way to stress to teens the importance of MFA. There are plenty of stories circulating around users who have lost all of their in-game progress, add-ons, or consumables simply because their account was accessed and their items stolen. I know people who have lost everything in-game, which finally prompted them to enable MFA across all of their accounts. Sadly, the items were never recovered, but the loss of those items served as a lesson on why MFA is so important, hopefully other people's losses can serve as a lesson to all teens."

++

Jason Dettbarn, Founder & CEO, Addigy

"Cybersecurity has moved from an afterthought to one of the more important decisions in the boardroom, as executives have come to understand the potential scale and impact of attacks. Breaches don’t just cost money – they can debilitate a company.
 
IT leaders need to ensure they are leveraging the right security processes and tools to maintain compliance vigilance, which includes a layered approach to OS Patching, Application Patching, adhering to Compliance Frameworks, and End-User Authentication Management. The speed and impact of Zero Day vulnerabilities highlight the importance of applying these patches throughout an organization's entire fleet of devices in a timely fashion. National Cybersecurity Awareness Month serves as a good reminder of this."

++

Carl D'Halluin, CTO, Datadobi
 
"Cybersecurity Awareness Month is a critical reminder that effective cybersecurity isn't solely about building higher walls against external threats. It's equally about understanding and managing the data you already hold within those walls. Illegal and orphaned data are prime examples of internal vulnerabilities that often go overlooked.
 
The risks of harboring illegal data are multi-faceted, spanning potential legal issues, reputational harm, and increased susceptibility to network compromise due to embedded malware. Orphaned data, often accumulating unnoticed due to employee turnover, can pose governance and compliance risks.
 
This month-long focus is not just an opportunity but a necessity for organizations to deepen their commitment to employing the necessary methodologies and technologies that enable effective internal data governance and oversight. A proactive, inside-out approach to cybersecurity has never been more crucial."

++

Don Boxley, CEO and Co-Founder, DH2i

"Today, cyber threats are escalating into full-blown crises – making Cybersecurity Awareness Month more than just a gentle reminder, but a stark warning that we must urgently overhaul our digital defenses. Gone are the days when established security measures like VPNs sufficed. Hackers are continually advancing, rendering traditional methods increasingly obsolete. Proactive security isn't an option; it's an absolute necessity if organizations want to survive into the future.

Software-Defined Perimeters (SDPs) are rapidly gaining prominence as an innovative and intelligent alternative to VPNs.They address and eliminate many traditional VPN vulnerabilities, such as susceptibility to lateral network attacks that could compromise sensitive organizational assets. SDPs simplify the secure connection of network assets across diverse infrastructures—from on-premises to hybrid and multi-cloud setups—and closely align with Zero Trust Network Access (ZTNA) principles. By adhering to the Zero Trust tenet of "never trust, always verify," SDPs offer stringent security controls at the application level. This ensures that resources like servers, storage units, applications, IoT devices, and users gain access only to the specific data endpoints required for their tasks, thereby eliminating potential vulnerabilities such as lateral movement paths that attackers could exploit.

Let us heed National Cybersecurity Awareness Month as an urgent call to action for adopting next-generation solutions like SDPs and Zero Trust principles. In doing so, we will be equipping organizations and individuals with the robust defenses needed to outpace ever-advancing cyber threats."

++

Seth Blank, CTO, Valimail

"October may conjure images of falling leaves and Halloween festivities, but it's also Cybersecurity Awareness Month—a crucial period that calls for our attention on the increasing threats in the digital landscape. Among these threats, one that's often pushed to the background but deserves center stage is email security.

Email is the battleground where some of the most sophisticated social engineering attacks, like spear-phishing and whaling, are waged. These attacks exploit human psychology, leveraging the absence of the usual cues we rely on to assess trust—no facial expressions, no tone of voice, just cold text on a screen. You're probably been inundated with the same stats again and again, like the fact that 91% of all cyberattacks start with phishing. Or that the FBI has reported $50 billion—with a b—in losses due to business email compromise (BEC). And due to that inundation, it's easy for some to look at email as an old problem. But those stats show the problem is not just as bad as it's ever been; it's getting worse. Much, much worse.

The bottom line is that even if the stats have become easy to ignore—the problem is real, and one misstep can wreak havoc. This Cybersecurity Awareness Month, don't just scroll past the warnings—take them to heart. Beef up your email security, or get ready for a world of hurt. The ball is in your court, and it's ticking."

++

Raffaele Mautone, CEO of Judy Security

"In today’s digital landscape, cybersecurity is paramount for SMBs, given their vulnerability to common cyber threats such as phishing and ransomware. These attacks can result in substantial financial losses, reputational damage, and legal troubles. Cultivating a strong cybersecurity culture, boosting awareness, and providing comprehensive training are pivotal steps in effectively reducing these risks for SMBs, while ensuring long term security and success of their ventures."

++

David Menichello, Director, Security Product Management, Netrix Global

Generative AI is creating an imbalance between offensive and defensive security teams

"Generative AI is accelerating the development of exploits and payloads on the offensive side. Likewise, it is a good tool for the blue teams who defend their networks and applications for finding ways to automate and bridge gaps in a population of IT assets that could be vulnerable and not under one management program that’s easily patched, secured, or interrogated for susceptibility to attacks.

Building talent internally or finding service providers with the time and expertise to develop and extract the value out of generative AI from a defensive standpoint will be necessary. But there will always be an imbalance because the attack side can weaponize exploits quicker than the defense side and assess, test, and patch. It's never a fair fight between the offensive and defensive sides because while blue teams must patch every vulnerability, red teams only need to find one in some cases to unravel a network."

Ransomware attacks are upping the ante 

"The threat landscape is bad and getting worse, as we’ve seen some things recently that are particularly concerning. Threat actors are moving from double extortion attacks to triple extortion attacks in order to raise the ante. A new twist is threatening to publish the attack vectors and vulnerabilities to the victim organization’s cyber insurance carrier in an attempt to invalidate any potential claims."

Shortening the Lifecyle of vulnerabilities

"We see that a lot of organizations have not yet graduated to unify their security monitoring functions with vulnerability management and attack surface management efforts. They still operate as programs owned by separate teams creating a lack of coordination with blue teams to alert them if a vulnerability is in the process of being fixed. By marrying vulnerability management and ASM efforts with things like MDR, organizations can achieve better outcomes faster."

Tooling

"The trend we’re seeing is that solving for discrete problems and point solutions is falling out of favor, to the tune of organizations looking instead to standardize on a suite of tools across a connected platform with a common look, feel, back-ends, reporting and certification track that achieves objectives.
While some organizations today have robust security budgets and various point solutions, they still face security incidents like phishing attacks, ransomware, or data exfiltration. This is partly due to shortfalls in processes, experience, and talent but it is also a result of organizations taking a singular point of view, finding point solutions to address specific problems, creating a landscape of tools that don’t talk to each other instead of building an ecosystem that works together and is visible.

What’s required today to secure a business is security tooling that fits together, works, and gives you the birds-eye view, early warning, reporting, and monitoring around the efficacy of what you’ve constructed to demonstrate the value. Hence, you continue to receive that investment and show why efforts deserve to be funded and are valued by your stakeholders because you’ve kept your company out of harm’s way, whatever that might be.

There are great tools out there, but they are not a silver bullet, and they require proper implementation. Technology is not the key differentiator with essential security tools, but instead, it is the expertise of the people using them and their discipline to set up standardized processes that efficiently achieve desired outcomes."

++

JP Perez-Etchegoyen, CTO at Onapsis

"This year’s Cybersecurity Awareness Month serves as a timely opportunity for companies to reassess their cybersecurity practices. The significance of cybersecurity has grown even more pronounced in the face of ransomware and supply chain attacks that have affected organizations of all sizes and sectors. Just considering the number of cyberattacks, research indicates a 38% increase from 2021 to 2022.   
 
The ability to ensure business continuity and safeguard brand reputation now hinges on an organization's capacity to enhance the availability of business operations, of which a critical part are its business applications, while also embracing innovation and integrating security and compliance into their operations. Special emphasis must be placed on safeguarding critical web applications since cybercriminals continually identify and exploit vulnerabilities in this area. Such vulnerabilities not only risk data exposure and theft but can also result in complete system downtime until necessary updates are deployed. This system downtime, when it comes to business critical applications, equates to business disruption, potentially resulting in millions of dollars in losses.
 
With the theme “it’s easy to stay safe online” in mind, enterprises must evaluate all elements within their IT landscape to detect any potential cyber threats. This includes identifying unpatched systems, addressing permissive access controls, securing integrations, and rectifying any misconfigurations. Prompt action is vital to shield mission-critical applications and the overall business from sophisticated cybercriminals. Organizations should also incorporate a robust business application security program into their cybersecurity strategy, ensuring complete visibility into applications for high-priority patching, vulnerability assessments, and security protection."

++

Josh Bartolomie, VP of Global Threat Services at Cofense

"Cybersecurity Awareness Month, now in its 20th year, stands as an annual partnership between government and private sectors, uniting efforts to enhance awareness of digital security. Its mission: equipping everyone to safeguard their personal data against the perils of digital crime.
   
Contrary to the belief that technology alone can eliminate vulnerabilities, it is essential to recognize that your workforce constitutes one of the most important lines of defense. They play an indispensable role in guarding against cybersecurity attacks and compromises. Organizations need to invest in their employees, imparting not just the ability to recognize suspicious activity but also to foster a culture where reporting such concerns and incidents is encouraged and even incentivized. Additionally, in cases where threats manage to elude employee vigilance, Security Operations Center (SOC) teams must possess the capability to identify, trace, and neutralize these risks swiftly and efficiently.
 
Cybersecurity is our collective responsibility. The most effective way to ensure protection is by working together. Cybercrime ranks as the foremost threat faced by companies but fear not; there are established and user-friendly methods to thwart it, like free resource toolkits to greatly assist in promoting security awareness."

++

Andrew Hollister, CISO and VP Labs R&D at LogRhythm

"Each year, Cybersecurity Awareness Month serves as a valuable reminder of the critical importance of fortifying our organizations’ cybersecurity posture in an increasingly interconnected world. This year, Cybersecurity Awareness Month’s focus is on four key behaviors: enabling multi-factor authentication, using strong passwords and a password manager, updating software, and recognizing and reporting phishing attempts—all essential practices in safeguarding against cyberattacks. Our growing reliance on digital technology within the business landscape is accompanied by escalating threats and vulnerabilities that pose significant risks to sensitive data, financial stability, and even national security.  
 
In the face of these escalating threats, it is worth noting that 67% of respondents in a recent study reported their companies losing business deals due to customers’ lack of confidence in their security strategies. A solid security strategy has become a business imperative, and all too often, organizations either fail to do the basics or don’t truly understand the full scope of the threat they are facing. Digital transformation over the past decade has led us to a place where much of our data has moved to the cloud and our user communities have also at least partially “moved to the cloud” as well post-pandemic-- in various forms of hybrid work patterns. Let us use Cybersecurity Awareness Month as a catalyst for action. Strengthen your organization's defenses, educate your teams, and invest in technology solutions that enable you to reduce your overall risk. By doing so, we can collectively fortify our digital foundations, protect our critical assets, and ensure a safer digital future for all."

++

Paul Trulove, CEO, SecureAuth

Passwords are time and time again compromised

"To avoid identity attacks such as MFA bombing/flooding and recent identity breaches from major IAM providers – organizations need to adopt a modern passwordless continuous authentication approach. Given that traditional username / passwords authentication no longer meets even basic security requirements; multi-factor authentication is the new baseline. But in many cases, it is being used as a blunt-force instrument that add significant friction without materially increasing. Identity, authentication should leverage passwordless methodologies that reduce friction for the end user and result in a much higher level of assurance that a user is who they say they are during the authentication process.

In addition, authentication should not be viewed as a binary event, it should be a continuous process that starts before the actual authentication event happens and continues post authorization to monitor for malicious behaviors." 

Phishing Resistant Multi-Factor Authentication (MFA)

"While multi-factor authentication (MFA) increases the friction for an attacker to gain access to a user’s account, not all MFA methods are created equal. Many of the typically most common MFA options (SMS, Push to Accept, Timed One-time Passwords (rotating OTP application such as Google Authenticator) are susceptible to social engineering by an attacker. If an attacker has a user’s username and password the attacker could call or text the user pretending to be IT and asking for the OTP they just set to them, when in reality, the attacker has entered the username and password successfully and the Identity Provider has sent a legitimate OTP to the user. The attacker will then use that OTP to access the user’s account. The other method to bypass MFA is for the attacker to repeatedly attempt to log in and have the system send OTPs or push-to-accept MFA attempts until the user mistakenly hits “Accept” or just hits accept to get rid of the continuous alerts.
 
There are two specific types of MFA that are resistant to phishing attempts as the require direct access from a user’s mobile device or hardware device. Symbol to accept requires the user to enter a specific letter or number that gets displayed on the OTP screen or using hardware security keys (FIDO or WebAuthN – such as Yubikeys)."

++

Joe Regensburger, Vice President of Research Engineering, Immuta

"AI and large language models (LLMs) have the potential to significantly impact data security initiatives. Already organizations are leveraging it to build advanced solutions for fraud detection, sentiment analysis, next-best-offer, predictive maintenance, and more. At the same time, although AI offers many benefits, 71% of IT leaders feel generative AI will also introduce new data security risks. To fully realize the benefits of AI, it’s vital that organizations must consider data security as a foundational component of any AI implementation. This means ensuring data is protected and in compliance with usage requirements. To do this, they need to consider four things: (1) "What" data gets used to train the AI model? (2) "How" does the AI model get trained? (3) "What" controls exist on deployed AI? and (4) "How" can we assess the accuracy of outputs? By prioritizing data security and access control, organizations can safely harness the power of AI and LLMs while safeguarding against potential risks and ensuring responsible usage."

++

David Divitt, Senior Director, Fraud Prevention & Experience, Veriff

"We've all been taught to be on our guard about “suspicious” characters as a means to avoid getting scammed. But what if the criminal behind the scam looks, and sounds, exactly like someone you trust? Deepfakes, or lifelike manipulations of an assumed likeness or voice, have exploded in accessibility and sophistication, with deepfakes-as-a-service now allowing even less-advanced fraud actors to near-flawlessly impersonate a target. This progression makes all kinds of fraud, from individual blackmail to defrauding entire corporations, significantly harder to detect and defend against. With the help of General Adversarial Networks (GANs), even a single image of an individual can be enough for fraudsters to produce a convincing deepfake of them.

Certain forms of user authentication can be fooled by a competent deepfake fraudster, necessitating the use of specialized AI tools to identify the subtle but telltale signs of a manipulated image or voice. AI models can also be trained to identify patterns of fraud, enabling businesses to get ahead of an attack before it hits.

AI is now at the forefront of fraud threats, and organizations that fail to use AI tech to defend themselves will likely find themselves the victim of it."

++

James Hadley, CEO and Founder of Immersive Labs

"Cybersecurity awareness month has good intentions. But, if organizations are focused on awareness alone, they're losing. Awareness is not enough for organizations to achieve true cyber resilience. Resilience means knowing that your entire organization has the knowledge, skills, and judgment to respond to emerging threats, backed by data. Businesses need proof of these cyber capabilities to ensure that when an attack inevitably happens, their organization is prepared to respond.

Outdated training models and industry certifications that organizations have traditionally relied on have failed to make them safer and instead have created a false sense of security — which is why nearly two-thirds of security leaders now agree that they are ineffective in ensuring cyber resilience.

Continuous, measurable exercising across your entire workforce — from the store room to the board room — provides businesses with the insights they need to understand the current state of their cyber resilience and where their weak points lie. It also creates a more positive cybersecurity culture that encourages reporting rather than punishing employees when a breach does happen. With top-to-bottom cybersecurity education, organizations are moving beyond awareness and can ensure that their data is secure."

++

Yariv Fishman, Chief Product Officer, Deep Instinct

"This Cybersecurity Awareness Month is unlike previous years, due to the rise of generative AI within enterprises. Recent research found that 75% of security professionals witnessed an increase in attacks over the past 12 months, with 85% attributing this rise to bad actors using generative AI.

The weaponization of AI is happening rapidly, with attackers using it to create new malware variants at an unprecedented pace. Current security mechanisms rooted in machine learning (ML) are ineffective against never-before-seen, unknown malware; they will break down in the face of AI-powered threats.

The only way to protect yourself is with a more advanced form of AI. Specifically, Deep Learning. Any other NL-based, legacy security solution is too reactive and latent to adequately fight back. This is where EDR and NGAV fall short. What’s missing is a layer of Deep Learning-powered data security, sitting in front of your existing security controls, to predict and prevent threats before they cause damage. This Cybersecurity Awareness Month, organizations should know that prevention against cyber attacks is possible – but it requires a change to the “assume breach” status quo, especially in this new era of AI."

++

Nick Carroll, Cyber Incident Response Manager, Raytheon, an RTX business

"As cyber threats continue to quickly evolve, organizations are being challenged to act just as fast in counter defense. This rush to keep up can often lead to the harmful practice of organizations skipping the foundational basics of cyber defense and failing to establish a general sense of cyber awareness within the business. Without a solid security culture at the foundation, security tools, such as expensive firewalls or endpoint detection and response (EDR), will ultimately become ineffective in the long term. It’s imperative to build cybersecurity awareness among employees and third parties that work with the business, as well as determine the ways in which security will be integrated into the organization’s culture and operations. Once these steps are taken, organizations will be better positioned to build off of a solid organizational footing that will be most effective for cyber defense initiatives in the long run."

++

Olivier Gaudin, Co-CEO & Founder, Sonar

"This Cybersecurity Awareness Month (CAM), a message to business leaders and technical folks alike: Software is immensely pervasive and foundational to innovation and market leadership. And if software starts with code, then secure or insecure code starts in development, which means organizations should be looking critically at how their code is developed. Only when code is clean (i.e. consistent, intentional, adaptable, responsible) can security, reliability, and maintainability of software be ensured.  

Yes, there has been increased attention to AppSec/software security and impressive developments in this arena. But still, these effort are being done after the fact, i.e. after the code is produced. Failing to do this as part of the coding phase will not produce the radical change that our industry needs. Bad code is the biggest business liability that organizations face, whether they know it or not. And chances are they don't know it. Under their noses, there is technical debt accumulating, leading to developers wasting time on remediation, paying some small interest for any change they make, and applications being largely insecure and unreliable, making them a liability to the business. With AI-generated code increasing the volume and speed of output without an eye toward code quality, this problem will only worsen. The world needs Clean Code.

During CAM, we urge organizations to take the time to understand and adopt a ‘Clean as You Code’ approach. In turn, this will stop the technical debt leak, but also remediate existing debt whenever changing code, reducing drastically the cybersecurity risks, which is absolutely necessary for businesses to compete and win -- especially in the age of AI."

++

Doug Kersten, CISO, Appfire

"First and foremost, whether an employee has been at an organization for 20 days or 20 years, they should have a common understanding of how their company approaches cybersecurity; and be able to report common threats to security.

It’s been refreshing to see security come to the forefront of conversation for most organizations. It was rare 20 years ago that cybersecurity awareness was even a training concern unless you were at a bank or regulated institution. Today, it is incredibly important that this heightened interest and attention to security best practices continues. With advancements in technology like AI, employees across industries will face threats they’ve never encountered before - and their foundational knowledge of cybersecurity will be vital.   

Employees today should be well-trained on security standards and feel comfortable communicating honestly with their security teams. Even more important, security leaders should ensure their organizations have anonymous alternatives for employees to report their concerns without fear of retaliation or consequence. By combining education and awareness into the foundation of your organization’s security framework, and empowering employees, the odds of the realization of a threat decrease exponentially."

++

James Lapalme, Vice President & GM for Identity, Entrust
 
"While we can recognize Cybersecurity Awareness Month, it's important that we prioritize cybersecurity all year round. Threat actors are constantly threatening organizations in unique and rapidly evolving ways, and business leaders need to remain nimble to ensure that their systems and teams are prepared for these evolving risks.
 
As we’ve seen in the news in recent weeks, spear phishing and social engineering attacks have become a common way for bad actors to create realistic scams that can slip by even the most knowledgeable employee. And, with the advancements in generative AI, adversaries can accelerate the potential impact of these attacks to gain access to sensitive data. The reputational and monetary losses these organizations and their customers experience can be felt for years to come.
 
Organizations have become so reliant on credentials that they have stopped verifying identity, so to get access or reset access, all you have to do is to give a code or answer a secret question. While that is convenient from a productivity perspective, it leaves the door open to cyber-attacks, which is why we’ve seen these spates of compromises.
 
Rather than rely on individuals who are frequently too caught up in day-to-day tasks to notice the subtle nuances of these scams, organizations need to evolve their technology response and look to phishing-resistant identities. Methodologies to achieve a high assurance level of Identity verification are Certificate-based authentication for both user and device verification, risk-based adaptive set-up authentication, and implementing ID verification as part of authentication process (or as a high assurance authentication strategy) for high value transactions and privileged users are all ways for businesses to build out their Zero Trust, explicitly Identity verified strategies and ensure the security of users even as new threats continue to emerge.
 
It's important to understand that cybersecurity awareness is never really over. Good enough is not good enough. With the ever-evolving threat landscape, it's essential for organizations to stay ahead of the curve and continue to keep evolving their technology to protect and future-proof their businesses against the ever changing threat landscape."

++

Michael Mestrovich, CISO, Rubrik

"Monetization of data theft drives the cyber crime business. Modern cybercrime revolves around stealing data from organizations or denying them access to critical data. It is imperative that we maintain a security-first corporate culture and that a security mindset permeates everything that we do.  

So how do we achieve this? A culture change starts with simple behavior shifts. When you walk away from your computer, do you lock it? When you’re using your laptop in public, do you have a screen guard on? When entering corporate buildings do you badge in and make sure no one is tailgating you? These sound like small things, but they are the practical day-to-day activities that people need to understand that help cultivate a security-first culture."

++

Richard Caralli, Senior Cybersecurity Advisor, Axio

"For 20 years, Cybersecurity Awareness Month has been raising awareness about the importance of cybersecurity, but creating a cyber-aware culture is only getting worse. Technology users are on the front line for cybersecurity, but this responsibility is not taken seriously either because it’s a lower priority (average consumers place preference on product features over security), or they don’t fundamentally understand it (cybersecurity technologies at the consumer level are not entirely intuitive).

There are approximately 12 million lines of code on a typical smartphone operating system, and on those devices, thousands of configurable settings that affect security and privacy. If an organization issues a device like an iPhone, they can centrally ensure the security and privacy settings fall in line with organizational policy. But, in an increasingly bring-your-own-device world, and especially for retail consumers, all bets are off.

With configurability being a key desirable feature of applications, users unfortunately put little effort into ensuring they are protected from not only attackers, but also from legitimate attempts to use their data in ways that may over-expose them. It isn’t sufficient to fall in line with the standard security recommendations anymore—such as implementing MFA. Users must initiate their own security and privacy review of the software and devices they use, instead of focusing only on configuring features and applications that are important to them.

Until fixed, consumers will continue to be a rich target—and attackers know it. To create a more cyber-aware culture, users should review all default settings on new software and devices and make changes as appropriate. And while not an easy task, several guides being produced—Consumer Reports, for example, publishes a Guide to Digital Security and Privacy—can help users configure important settings, or at least give them the option to decide on the balance between functionality and security/privacy."

++

Jeff Reich, Executive Director, IDSA
    
"So far, 2023 has shown us that all it takes is one compromised identity to have a huge effect on the targeted organization, the industry vertical, and society at large. And year after year, the IDSA’s research demonstrates that it takes more than a strong password to keep bad actors at bay. Today’s questions swirl around what it will take to stem the increasing onslaught of identity-related breaches. From the Least Privilege principle to Multi-Factor Authentication (MFA), routine access reviews, and Zero Trust, it will take parts of each of these, plus more, to address this problem.

The bigger question is, how do we get this done? Security, as part of a larger risk management program, is the answer. This year marks the 20th anniversary of Cybersecurity Awareness Month and the new theme is Secure Our World. This is appropriate because, as we have seen, the effects can and do shape events around the world. By continuing to better educate ourselves and raise awareness around this global issue, we will solve this problem.

The key is to better know the environments in which we operate, the associated risks, and ways to eliminate or lower the severity of the outcomes. This is incumbent upon each of us and all of us. The message is the same, although updated. Learn what you can do to protect yourself and help others. Security professionals: work to make systems more resilient and frictionless. For users of these systems: learn to use them and make them work for you."

++

Irfan Shakeel, VP of Training and Certification Services, OPSWAT

"Recent findings from Tessian's Human Factor Report 2023 found that 88% of data breaches are caused by employee mistakes. This underscores the paramount importance of investing in our first line of cybersecurity defense: our workforce. Cybersecurity Awareness Month is not merely about social media posts or celebratory events; it is about educating employees, vendors, and all other stakeholders on cybersecurity best practices and other security policies. By doing so, we ensure that our primary defense doesn't become our most significant vulnerability.
IT/OT convergence is not just a trend, but a necessity, driven by its transformative benefits such as streamlined operations, real-time data access, and data-driven decision-making. However, this integration also expands the attack surface, introducing new security challenges. As we observe Cybersecurity Awareness Month, it's the perfect opportunity to bridge the gap between industrial teams and their IT counterparts. This month is ideal for hosting hands-on cybersecurity awareness training sessions and organizing engaging activities like cybersecurity scavenger hunts. By fostering collaboration and camaraderie, we can pave the way for a more cyber-resilient OT environment."

++

Ariel Parnes, COO and Co-Founder, Mitiga

"As cybercrime moves to the cloud – as evidenced by recent exploits like Scattered Spider’s ransomware attack on MGM to Storm-0558's attack targeting Microsoft exchange – there is a whole new level of cyber awareness that is needed from everyone in organizations. Awareness this Cybersecurity Awareness Month is especially important for enterprise leaders evolving their tech stacks and updating capabilities in order to manage risk and grow resilience. To effectively respond to this new breed of incidents—and fast—enterprise leaders need to:

  • Understand the new and evolving threat landscape, and educate their team and peers
  • Assume breach, but more importantly: assume cloud/SaaS breach
  • Define SMART (Specific, Measurable, Attainable, Relevant, and Time-Bound) KPIs for cloud and SaaS breach readiness
  • Build a plan to improve the KPIs through people, processes, and technology
  • Exercise, exercise, exercise!

Especially in light of the SEC’s latest ruling requiring organizations to disclose a material breach within four days following its discovery, this undeniably necessitates organizations to rapidly evaluate the severity of an attack and ensure accurate and timely reporting—a process that demands swift investigation. But there’s an added dimension: potential adversaries might exploit this regulation, heightening pressure on the compromised entity by revealing (real or fake) details of the breach—as in the MGM attack. We have seen this in the past, and with the new regulations, we should expect to see it more. Organizations should prepare for these situations in a multi-layered approach, building, expanding, and exercising capabilities in: rapid investigation, negotiation, comms, and PR."

++

Bala Kumar, Chief of Product at Jumio

"There are a number of commonly used verification tools out there today, like multi-factor authentication (MFA) and knowledge-based authentication. However, these tools aren’t secure enough on their own. With the rise of new technologies like generative AI, cybercriminals can develop newer and more complex attacks that organizations need to be prepared for. Fraudsters can leverage ChatGPT, for instance, to create more convincing and targeted phishing scams to increase their credibility and impact, victimizing more users than before.

This month’s emphasis on cybersecurity reminds us that organizations must build a strong foundation starting with user verification and authentication to efficiently protect customer and organizational data from all forms of fraud. Strong passwords and MFA are always beneficial to have, but with the increasing sophistication of cyberattacks, organizations must implement biometric-backed identity verification methods. By cross-referencing the biometric features of an onboarded user with those of the cybercriminal attempting to breach the company, organizations can prevent attacks and ensure that the user accessing or using an account is authorized and not a fraudster, keeping vital data out of criminals’ reach."

++

Philip George, Executive Technical Strategist, Merlin Cyber

Time to Understand – and Act On – Quantum Risk  

"One critical aspect of cybersecurity that deserves much more attention and focus is the advancement of quantum computing. While quantum computing is poised to enable researchers to tackle complex problems through simulation in a way that simply wasn’t possible before, it also has very serious implications for cryptography – the foundation upon which functionally all modern cybersecurity relies. A cryptographically relevant quantum computer (CRQC) could render linear cryptography ineffective, meaning sensitive data and critical systems protected in this way will be exposed to anyone with quantum computing capabilities. The reality is that our adversaries are inching closer and closer to achieving a CRQC every day and in the meantime are collecting sensitive encrypted data to access later also known as a “store now, decrypt later” approach. Certain cryptographic standard bodies estimate that we have approximately 7-10 years before quantum cryptographic relevancy is achieved – however we’ve already seen instances of adversaries exploiting our growing reliance and implicit trust with current cryptography, like in the SolarWinds SUNBURST Backdoor and Microsoft Storm-0558 forged tokens attacks. With the executive direction to adopt zero-trust architectures (ZTA) across IT/OT portfolios, the industry cannot afford to delay the inclusion of a quantum-readiness (QR) roadmap (see the joint CISA/NSA Quantum Readiness memo) into said ZTA modernization plans. Especially considering how heavily they will rely upon cryptography across every facet of the maturity model. A major component of the QR roadmap is the execution of a cryptographic discovery and inventory report, which would provide valuable insight into quantum vulnerable cryptographic dependencies as well as overall cryptographic usage. The results of which would provide critical insight into strategic risk management decisions for Y2Q (years to quantum) planning and operational cyber threat-hunting purposes.  
 
The era of implicit cryptographic trust and reliance on an iterative standard process is coming to a close, the industry needs to fully incorporate cryptographic risk into its vulnerability management and remediation programs before Y2Q. This will ensure a more cryptographically agile and robust zero trust ecosystem is achieved across newly modernized environments."
 
++
 
Doug Murray, CEO, Auvik

Cybersecurity Fundamentals: Network Visibility 

"We can’t have a constructive discussion around cybersecurity without addressing network-based security. You can’t protect what you can’t see – unknown devices are unprotected devices. As rigorous as your cybersecurity efforts may be, poor visibility can put the entire network at risk of an attack.  
 
To effectively implement cybersecurity protocols that reduce vulnerabilities, IT teams must have a comprehensive view and understanding of all assets, including switches, routers, firewalls, wireless controllers and access points, and endpoint devices, including many headless IoT devices.  
 
In addition to traditional security products, it’s important to also implement complementary tools like network management software to ensure an organization has a cohesive view of its network. By detecting unusual activity, rogue devices, traffic from unexpected locations, and unapproved or atypical application usage, network management tools identify areas of concern and flag for investigation before real problems occur. This allows organizations to take necessary corrective action early and maintain an offensive rather than defense cybersecurity strategy by preventing a wider range of potential attacks on an organization’s network. This is not only critical for cybersecurity but also assists with compliance, ensures quicker troubleshooting, and results in better business outcomes."
 
++
 
Patrick Harr, CEO, SlashNext

The Evolution of Phishing and BEC, and How to Stay Protected

"We have seen phishing grow from targeted email attacks into a widespread multi-channel problem that has become the top security threat for both organizations and individuals. In 2023 especially, the introduction of Generative AI technologies like ChatGPT has been a game changer for cybercriminals, particularly in relation to cyberattacks launched through email, mobile and collaboration apps including business email compromise (BEC) and smishing. These new AI tools have helped attackers deliver fast moving cyber threats, and has ultimately rendered security defenses that rely on threat feeds, URL rewriting and block lists ineffective. Combine these new tools with the way people work using multiple devices communicating and collaborating outside of traditional security defenses, users and businesses are more exposed than ever to cyberattacks.    
 
Perhaps even more concerning is the rise of AI tools proliferating on the dark web – such as WormGPT, FraudGPT, and others – that are specifically designed to apply generative AI technologies for criminal purposes. Now, we are even seeing the likes of BadGPT and EvilGPT being used to create devastating malware, ransomware, and business email compromise (BEC) attacks. Another grave development involves the threat of AI “jailbreaks,” in which hackers cleverly remove the guardrails for the legal use of gen AI chatbots. In this way, attackers can turn tools such as ChatGPT into weapons that trick victims into giving away personal data or login credentials, which can lead to further damaging incursions.  
 
So how do we protect ourselves?  
    
Training users to detect these new AI-developed types of phishing attacks can be extremely difficult. It’s crucial to leverage AI-based cyber security protection to successfully battle cyber threats that use AI technology. Whether you’re a business with thousands of customers, or an employee using a personal device for work, you have to fight AI with AI."
 
++
 
Ricardo Amper, CEO and Founder, Incode Technologies

"With the rise of deepfakes and fraudsters becoming increasingly sophisticated, verifying identities is more challenging than ever. As verifying identities becomes harder, fraud mounts. This month, we celebrate Cybersecurity Awareness: a time to implement processes and adopt solutions that improve the cybersecurity posture of our organizations. Today, passwordless authentication is one of the top methods to deter fraud where identity means everything, for example, in banking, government, and payments processing. We’re seeing industries such as financial enterprises combat spoofing and identity fraud through biometric digital identity verification, which can prevent the use of ‘synthetic identity' to steal customer profiles and open new accounts. As a means of digital identification, biometrics prevent fake digital identities by identifying documents that have been tampered with or photoshopped. Companies in a variety of key sectors are introducing digital authentication services and solutions to combat growing levels of fraud and stay ahead of cyber criminals."
 
++
 
Ratan Tipirneni, President and CEO, Tigera

"Today, enterprises and small businesses alike are using containers and distributed applications, built with microservices and running on platforms like Kubernetes. Container environments are highly dynamic and require continuous monitoring, observability, and security. This Cybersecurity Awareness Month, it’s important to remember a critical Kubernetes best practice: treating container security as a continuous practice. Integrating security into the entire development and deployment cycle is key. For example, while “shift left" models have played an important role in increasing the security and resilience of deployments, the industry pendulum has swung too far. Many enterprises believe that runtime security is unnecessary if they put enough resources into planning and testing. The reality is that a breach is a matter of when, not if, and security teams must ensure their runtime security tools can rapidly identify and mitigate any intrusion attempts or risk serious consequences.
 
A best practice for securing containers is to use a multi-layered security approach that includes security measures at different levels, such as network, host, and application layers. This approach provides a defense-in-depth strategy that can provide more comprehensive protection against different types of attacks. The goal of the defense-in-depth approach is to make it more difficult for attackers to penetrate an organization's defenses and limit the damage if an attack does occur."
 
++
 
Georgia Weidman, Security Architect at Zimperium

"Classically people have entered cybersecurity as network or system admins or as programmers. The admins traditionally come from a more technical training background (but not always) and the programmers traditionally come from a more Computer Science (CompSci) or Computer Engineering (CompEng) or Software Engineering (SoftEng) background (but not always).
 
At the beginning of their careers, it’s often the more technically trained people who get out of the gates the fastest.  They know the tools, they often know the techniques, and they have usually been exposed to many of the practices, so picking up a specific environment’s tactics, techniques, and procedures is pretty easy. The more generalist CompSci/CompEng/SoftEng folks have a good understanding of theory, but not so much experience at practice and their initial learning curve is often steeper and thus they get out of the gate more slowly. That said, as they move forward with their careers, the depth and breadth of knowledge they picked up in their degree programs will likely come into play for solving more complex problems.
 
For people who want to do nothing but the hands-on elements of cybersecurity, any of these paths work and after a few years in the trenches the individual practitioners do not really stand out on the basis of their respective backgrounds. However, it is often the case, that, having spent time in the trenches, some practitioners will realize that their tools do not do all that they would like them to do, and they are inspired (or cursed) to attempt to build their own tools. Generally speaking, the programmers with those more general CompSci/CompEng/SoftEng degrees will have an easier time ramping up their efforts to actually write software instead of just use it. Writing performant, scalable, secure, relatively bug-free, user-friendly code is an entirely different skill set than cybersecurity, so building cybersecurity tools benefits from the theory and practice afforded by the more general degrees. Again, some folks from the admin path or the cybersecurity degree will excel at this, there’s no one true path, but in general, at sufficient scale, these principles are useful guides.
 
Some number of the folks will eventually decide that they want to move into management, and, I'm sorry to say, very little any of these college programs would have taught them anything about how to be an effective leader or manager -- or that there’s a difference.
 
And some number who previously made the leap into tool makers will decide that they should be entrepreneurs and turn their tools into startups.  God help them. Because like management, none of these college programs will have taught them a thing about the world of startups!
 
In the end, the best bet is to thoroughly explore your options and find the degree program that truly resonates with your wants and desires. In cybersecurity, your career is informed by your degree but not defined by your degree. Whichever path you take, the only real guarantee is that you will not know enough and you will be learning every day you pursue this career. So, learn to learn. And then get out here and help us make everyone more secure!"

++

Darryl Jones, VP of Product (CIAM), Ping Identity

"This Cybersecurity Awareness Month, it’s critical to remember that passwords pose one of the biggest cybersecurity threats to organizations and consumers alike. In fact, in 2022, there was a whopping 233% increase in U.S. data breaches exposing user credentials, compared to 2021. Credentials are attractive targets as they enable unauthorized access to sensitive systems, networks, and data.

While multifactor authentication is a great step in the right direction for protecting user credentials, the reality is that password-based authentication practices fail at actually securing accounts. They inhibit a smooth user experience and are easy to exploit for financial gain. With the accelerated growth of phishing, malware, and ransomware attacks, which are all exacerbated by the rise in artificial intelligence (AI), organizations underestimate the risks associated with using passwords to protect valuable enterprise assets. For example, generative AI can be used to guess passwords in an extremely human-like manner. It’s time to move away from this outdated form of authentication and move towards more innovative methods like biometrics, passkeys, and face IDs with liveness checks to avoid generative AI threats -  not just this month, but all year round."

++

Kris Lahiri, Co-Founder and Chief Security Officer, Egnyte

"In today's hybrid work environment, prioritizing cybersecurity is critical. Cyber threats are intensifying, with severe and long-lasting impacts on businesses. Yet, many organizational leaders still remain in the dark when it comes to protecting and managing their content. As we observe Cybersecurity Awareness Month, it’s important to remember that cybersecurity is not just about checking boxes. The frequency and scale of cyber attacks have continued to skyrocket, along with the financial toll and damage to brand reputation. Unfortunately, many organizations lack the proper tools to detect these attacks. Business leaders must also understand that the threat landscape is rapidly changing. Companies can improve their cybersecurity posture by combining foundational practices with cutting-edge technologies. Leveraging secure solutions doesn’t have to be complicated or robust to ensure safer data transactions and achieve unparalleled insights into content usage and access. Overall, businesses can avoid becoming a statistic and refine their data management strategies by making cybersecurity a team sport so that it is an integral part of their employees' daily lives through education and prevention."

++

Samir Sherif, CISO, Absolute Software

"Cyber Resiliency is the ability not just to prevent cyber threats but to withstand and recover from them when they do happen. This resilience isn't just about robust firewalls or advanced intrusion detection systems; it's about building an organization that can adapt and recover, both operationally and reputationally, from a cyber-attack. It acknowledges that while every measure will be taken to prevent an incident, the organization is prepared to minimize damage, restore operations, and learn from the event should one occur. In that sense, cyber resiliency complements and completes your incident response strategy."

++

Joni Klippert, CEO and Founder of StackHawk

"Viewing security as either a hindrance or a reactive measure doesn't promote the timely delivery of secure software. With organizations relying heavily on APIs to power their applications, recent research from ESG underscores how this dependency can exacerbate security risks. As development and release cycles for APIs continue to accelerate, we’ll see more challenges as feedback loops for fixes overload developers, and AppSec teams are unable to scale. Organizations need to focus on adopting the right security testing mechanisms and empower the teams that develop code to help prioritize the finding and fixing of security bugs before moving to production."

++

Mary Ann Miller, fraud & cybercrime advisor and VP of client excellence at Prove Identity

"The 20th anniversary of National Cybersecurity Awareness Month serves as a reminder for organizations and individuals to adopt better cyber hygiene practices online. Staying safe online means prioritizing digital identity. Identity proofing strategies should be at the top of every organization’s priorities going into 2024, and consumers should also take advantage of all secure digital identity services offered by the brands they work with, from their banking and credit card accounts to healthcare, mobile, and online shopping accounts.

According to the new Identity Project from the Financial Crimes Enforcement Network (FinCEN), suspicious activity reports (SARs) are rising. The research found that out of 3.8 million SAR submissions in 2021, an astounding 1.6 million (42%) were related to fraud, including identity theft and synthetic identity fraud – amounting to $212 billion in all identity fraud-related SARs.

In recognition of NCSAM and increasing incidents of identity fraud, the public and private sectors should rethink how they establish identity confidence. With data breaches and attacks constantly evolving, it’s no longer enough only to confirm personally identifiable information, and they can’t afford to miss out on using the technologies and processes that support more thorough and accurate investigations into proving one’s identity.

This year, it’s also critical to call attention to AI-generated social engineering. Organizations should leverage technology that examines trusted phone numbers to consistently determine an individual's identity."

++

Michael Smith, Field CTO at Vercara

"Cybersecurity training has evolved quite a bit over the past decade and is now a required part of most companies’ annual compliance training for employees. This is a positive development because it elevates employees' general understanding of the risk; however, it is not yet good enough. 2023 kicked off with a large number of ransomware attacks targeting the public sector and education, and it has only accelerated with very recent high-profile attacks on MGM and Caesars in the gaming industry. Most of these organizations, particularly the latter two, have training regimens in place, yet they fell victim.  It shows that while attackers continue to get more sophisticated and targeted, defenders may be improving but they are not closing the gap.
 
As I’ve spoken to people across different industries, I have observed that most see cybersecurity training as an obligatory task with few taking it seriously. This sheds a light on deficiencies in the training itself and the way that organizations message it. Training programs must continue to evolve to become more engaging and entertaining. Companies have to message strongly around the importance of the training and the negative effect, both individually and collectively, should a breach occur because an employee or contractor clicked on the wrong thing. IT departments should perform periodic phishing and smishing campaigns to test people in the organization. These efforts are happening in pockets now but need to become pervasive if we are to close the gap with attackers. There also needs to be an understanding that the landscape of cybersecurity is dynamic and evolving - and it’s moving at a speed too quick for the average user to keep pace. In alignment with the National Cybersecurity Strategy, there’s an onus on strong industry players to take more responsibility in mitigating cyber risk, and this starts with securing the most fundamental pieces of digital infrastructure, from DNS to Application Security."

++

Jason Kent, Hacker in Residence, Cequence Security

"Cybersecurity Awareness Month is a timely reminder for organizations to revamp their security posture. With this year’s theme, “It’s easy to stay safe online,” in mind, individuals can take a few small steps that make all the difference.
 
Time and again, one of the most critical aspects of account security is overlooked: password creation.

To achieve proper password security, individuals should consider the following best practices:

  • Using strong, unique passwords for each account is imperative, as cybercriminals often target those with reused or weak passwords derived from a vast pool of compromised userID/password combinations from data breaches.
  • Avoiding easily guessable patterns like birth years, family names, or sports teams.
  • Implementing password managers proves invaluable for generating and securely storing complex passwords.
  • Enabling Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) adds an extra layer of security to your application and website accounts, requiring an additional authentication step beyond your password. 

Having covered what to do, let's also discuss what you should avoid:

  • Using a credit card is the safest way to pay online, storing your credit card details in online accounts, though convenient, pales in comparison to the potential risks of unauthorized charges. Taking the extra 30 seconds to manually input your card information during transactions can save you from these hassles.
  • Equally important is steering clear of "pay me with a gift card" scams, where scammers manipulate individuals through email or phone calls, convincing them to make payments for non-existent computer issues or software subscription renewals. These fraudsters exploit fear and a lack of technical knowledge to access victims' computers, installing remote access tools and insisting on gift card payments. Tech Support, the IRS, the FBI, the County Sheriff - don’t take Steam Gift Cards as payment.

With these steps in mind, bolstering your online safety becomes a manageable task. By implementing these precautions, individuals can navigate the digital landscape with confidence and enhanced security."

##
Published Wednesday, October 04, 2023 7:31 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<October 2023>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234