Every year since 2003, October has been recognized as National Cyber
Security Awareness Month (NCSAM). This effort was brought to life
through a collaboration between the U.S. Department of Homeland Security
and the National Cyber Security Alliance. NCSAM is meant to raise
awareness about digital security and empower everyone to protect their
personal data from digital forms of crime.
The month is dedicated to creating resources and communications for
organizations to talk to their employees and customers about staying
safe online.
Now in its 20th year, National Cybersecurity Awareness Month
continues to build momentum and impact. Below,
several tech experts have analyzed the importance of a robust security
strategy, and have shared their thoughts and opinions on the matter.
##
Anthony Cusimano, Technical Director, Object First
"Often, we postpone the essential task of updating our software for fear of potential downtime, but ‘no worries, we’ll get to it later.’ Maintaining up-to-date software, hardware, and operating systems is crucial for having the latest security patches and removing potential backdoors from your environment. Unfortunately, many people neglect to invest the time required for software updates. This Cybersecurity Awareness Month, establish a routine of checking and installing updates to safeguard your information. Don’t give bad actors an easy way in. Take the necessary steps to keep your antivirus software, operating systems, and applications consistently up to date."
++
Marcus Fowler, CEO of Darktrace Federal
On Cybersecurity Awareness Month & Impact of AI on the Threat Landscape
This
year, CISA’s new theme for Cybersecurity Awareness Month is challenging
us to reflect on how we can best secure our world. The global threat
landscape is always evolving, but AI is poised to have a significant
impact on the cybersecurity industry. The tools used by attackers —and
the digital environments that need to be protected—are constantly
changing and increasingly complex. We expect novel attacks will become
the new normal, and we’re entering an era where sophisticated attacks
can adapt at machine speed and scale. Luckily, AI is already being used
as a powerful tool for defenders – helping to strengthen and empower our
existing cyber workers so they can keep pace with increasingly complex
environments and the constant onslaught of ever-evolving cyber threats.
On Recognizing and Reporting Phishing
Both
consumers and organizations rely on email as a primary collaboration
and communication tool so raising awareness of the prevalence of
phishing attacks and how to recognize and report them is important.
However, the email threat landscape is constantly evolving and attackers
regularly pivot and embrace new techniques to try to thwart defenses.
For example, between May and July this year, Darktrace’s Cyber AI
Research Centre observed an 11% decrease in VIP impersonation attempts –
phishing emails that mimic senior executives – while email account
takeover attempts increased by 52% and impersonation of the internal IT
team increased by 19%. This is just one example of how attackers pivot
as tactics become less effective and more easily recognized. This
challenge is only poised to grow in the future as the widespread
availability of generative AI tools provide novice attackers the ability
to craft sophisticated, personalized phishing scams at scale.
In
a recent survey, we found that the top three characteristics that make
employees think an email is risky are: being invited to click a link or
open an attachment, an unknown sender or unexpected content, and poor
spelling and grammar. But generative AI is creating a world where ‘bad’
emails may not possess these qualities and are nearly indistinguishable
to the human eye. It is becoming unfair to expect employees to identify
every phish and security training, while important, can only go so far.
Increasing awareness of and the ability to recognize phishing attempts
is an important first step, but an effective path forward lies in a
partnership between AI and human beings. AI can determine whether
communication is malicious or benign and take the burden of
responsibility off the human.
++
Theresa Lanowitz, Head of Cybersecurity Evangelism at AT&T Business
"This
October marks the 20th anniversary of Cybersecurity Awareness Month and
we’re addressing incredibly important themes that have also evolved
immensely over the past two decades. This includes multi-factor
authentication (MFA) and the strengthening of passwords.
As edge
computing expands, we expect the popularity of MFA to grow and include
biometrics and biometric behaviors - like how you sign your name or your
cadence in entering a numerical sequence. While the use of biometrics
to authenticate identity is not new, advancements in digital twins,
deepfakes, and purpose-built IoT devices mean there is a need to secure
our physical identities. Deep fakes may spoof more than your identity.
Consider
autonomous vehicles that have built-in MFA in key fobs. IoT devices are
frequently ‘set and forget’ with a default password that may be as
simple as ‘1234’, making it easy for cyber adversaries to either guess
or have knowledge of the default password. It makes sense that
biometrics, MFA, and device authentication are utilized in new endpoints
such as autonomous vehicles since there are no direct inputs into
vehicle networks—however, without an added layer of security, an
adversary can execute DDoS attacks or gain access to the network by
moving laterally through an IoT device with a default password. With
this, endpoint detection and response (EDR), managed detection and
response (MDR), and extended detection and response (XDR) are becoming
baseline requirements."
++
Rob Price, Director, Field Security Office at Snow Software
"The
digital age ushered a new category of cyber threat actors, which are
multiplying rapidly. Years ago, security guards were looking for floppy
disks containing sensitive data, but in today’s world, security is far
more complex, especially with the recent rise in AI. When ChatGPT-4 was
announced, the AI floodgates quickly opened, giving any Tom, Dick, or
Harry access to this powerful technology. From then on, the enterprise
security landscape immediately changed forever.
When deploying
unauthorized AI products (or shadow AI), it has the potential to leak
confidential data or intellectual property, putting an organization’s
security at risk. Understanding this, leaders must create tailored
acceptable use policies, offering clear parameters on how the technology
should – and can be – embraced within their organization. On top of
this, companies must adopt new technology to monitor employee activity,
ensuring compliance with the parameters put into place. Gaining complete
visibility of your IT landscape – from your on-premises and cloud
infrastructures to SaaS applications – is critical to keeping threat
actors away in 2024."
++
Rishi Bhargava, co-founder, Descope
"The
most relevant and actionable advice for end users during Cybersecurity
Awareness Month is usually “do the basics well”. Use strong passwords
for any account where you already have a password. Do not reuse
passwords across sites, even if they are strong passwords. Enable
multi-factor authentication whenever possible. And to prevent password
woes altogether, choose passwordless login methods whenever you create a
new online account. If you don’t have any secrets like passwords to
share, attackers are less likely to phish for your credentials.
Cybersecurity
Awareness Month also holds true for developers and application
builders. With so many cyber attacks stemming from stolen credentials –
86% in 2022 according to the Verizon DBIR – application teams should be
more aware and raise awareness among end users about passwordless
methods like passkeys. By adopting passkeys and educating the user base
about its merits, companies can improve user experience and reduce their
own security burden by going passwordless."
++
Blair Cohen, Founder & President of AuthenticID
"AI and cybersecurity go hand-in-hand when it comes to the ongoing fight against cyberattacks. AI bolsters cybersecurity by offering advanced threat detection and rapid response capabilities, enabling organizations to identify and mitigate threats at exceptional speeds. With the number of cybersecurity threats growing daily, organizations cannot afford to let their guard down – especially considering the rapid progression of technology. Bad actors continue to find new ways to use AI in their attacks, but cybersecurity professionals can also unlock the speed and precision AI offers to safeguard their businesses from threats."
++
Joe Hall, Head of Security Services at Nile
"It is highly likely that we will continue to witness the prevalence of social engineering attacks, reminiscent of the recent incidents, such as the ones in Vegas. Additionally, the cybersecurity landscape may see an increase in targeting the IAM sector followed by an increase in lateral attacks. These attacks will exploit vulnerabilities within complex and outdated network infrastructures."
++
Kobi Kalif, CEO of ReasonLabs
"Cybersecurity threats like malware and phishing present serious widespread risks to both businesses and the general population. Our recent research indicates that these dangers often remain unchecked due to limited awareness and poor cybersecurity education amongst everyday consumers and workforces. For example, multiple studies show a majority of people use weak, easily guessable passwords like "123456" across all their online accounts and frequently share passwords with others. One successful phishing attack could easily compromise several accounts with this lax personal security.
What’s more, some might not even know they've fallen victim to cyber attacks. While an estimated $8.8 billion was lost last year to scams, it is entirely likely that this number doesn’t encapsulate the full scope of losses, given that many people might not know about harder-to-detect attacks, like small-scale withdrawals from their bank accounts that happen on an incremental basis. A general lack of awareness and education about the types of cyber attacks that exist is creating major opportunities for bad actors everywhere. Each and every person must stay vigilant and suspicious of anything they interact with online at all times."
++
Giulia Porter, Vice President at Robokiller
"In August, Robokiller observed spam calls increased to 5.4 billion after a few month-over-month decreases. As we head into Cybersecurity Awareness Month, the holiday shopping season, and as student loan repayments resume, Americans must be aware of scams that could infiltrate their phones.
Scammers will take advantage of personal information that may be public and often acquire lists of phone numbers to then scam you via robocall or robotext. The first step in protecting your personal information is paying attention to what you share with companies or share on social media. Robokiller recommends googling your phone number to check if it’s linked to your social media or other online account."
++
Rocky Giglio, Director of Security GTM & Solutions at SADA
"The current employment and talent gap in the cybersecurity industry will continue to impact the industry for the remainder of 2023 and into 2024. At the beginning of the year, the global cybersecurity workforce was estimated to be understaffed by 3.4 million workers, a stark reminder there is substantial work to be done in order to remedy any worker shortages. To help support current cyber workers, who are likely to feel burnt out or under-supported, we’ll see further AI adoption in order to provide key support and resources for the current workforce. A combination of human expertise and AI technology will be crucial to reducing the burden of the cybersecurity staffing shortage and will help cyber workers be more prepared to prevent more complex cyber threats."
++
Scott Gerlach, CSO and Co-Founder of StackHawk
"With new technology, comes new attack vectors, new attack types, and new problems for security teams to learn, understand, and keep up with. With the speed and deployment of APIs growing insanely fast, and the historically unbalanced ratio of AppSec teams to Developers (1:100), to say it’s a challenge for security teams to keep pace with development is an understatement. Utilizing a developer-first philosophy that acknowledges the pivotal role software creators have with cybersecurity efforts, and bridging that gap between AppSec and engineering is critical to ensure the safe and secure delivery of APIs and applications to production. Bring the right information to the right people at the right time to help them make decisions!"
++
Manu Singh, VP of Risk Engineering at Cowbell
"Bad actors are becoming more sophisticated and clever with their approach to using emerging technologies to launch cyberattacks. The evolving cyber threat landscape is making it more difficult for organizations to defend themselves against convincing phishing emails and malicious code generated by AI.
The most important thing that organizations can learn from Cybersecurity Awareness Month is to take a proactive approach to protecting their information assets and IT infrastructure. To do this, organizations should consistently educate and promote awareness of the latest threats and risks they may face. From there, this education should transform to best practices each employee can adopt to reduce exposure to a cyber event. This promotes a culture of security rather than placing the responsibility on IT or security personnel. Organizations as a whole have the responsibility to secure and protect against the cyberthreats they face."
++
Dan Benjamin, co-founder and CEO, Dig Security
"Cloud data assets are a prime target for cyberattacks, but the legacy solutions can no longer cope with the variety and volume of fragmented data held by organizations on multiple cloud environments. Organizations need data security solutions that fit the speed of innovation in the cloud without impacting their business, to address time to detect and respond to an incident; reduce the amount of shadow data; and minimize the growing attack surface. To avoid data exfiltration and data exposure, today’s organizations must take a data first approach to cloud data security. This Cybersecurity Awareness Month, enterprises should prioritize adopting solutions that deliver real-time data protection across any cloud and any data store, in order to reduce data misuse, achieve compliance, and prevent ransomware attacks or data breaches."
++
Randy Watkins, CTO of Critical Start
"Cybersecurity Awareness Month has traditionally focused on educating consumers, who are often susceptible as targets of opportunity, where there is a high likelihood of success, but a low yield. While some of the typical security reminders and best practices can transcend the workplace to create a culture of security, we should also use this opportunity to highlight additional areas of education:
- Board Level - A litany of cyber regulations has been proposed or approved on everything from breach disclosure to board membership. Educating the board on the organizations current cyber posture, impact on risk, coming regulations, along with the plans team to accommodate the regulation can help get buy-in early and show the value of security to the organization.
- End Users - Go beyond phishing education and inform your users of the people, procedures, and products that are being used to protect them. With the understanding of the investment made by the organization, others may look to see how they could be good stewards of cyber posture.
- The Security Team – It’s time for the teachers to become the students. While cybersecurity education programs target the “riskiest attack surface of the organization” (end users), it is important to obtain feedback from those end users on how security practices and technology could be more effective."
++
Darren Guccione, CEO and Co-founder, Keeper Security
"Let’s face it - it may be time to change the name of Cybersecurity Awareness Month to Cybersecurity Action Month. Sadly, individuals and businesses around the globe are already all too aware of the pain and damage that cyberattacks can inflict.
This October, organizations should take action by prioritizing adoption of solutions that prevent the most prevalent cyberattacks, including password and Privileged Access Management (PAM) solutions. These highly effective tools offer robust cybersecurity protections, and next-gen, cloud-based versions of these solutions are accessible to any-size organization, regardless of their budget or available resources. According to recent research, PAM products give 91% of IT leaders more control over privileged user activity, decreasing the risk of insider and external breaches.
In addition to prevention, organizations must prepare and secure their systems to mitigate threats and minimize the impact on systems, data and operations. The most effective method for minimizing sprawl if an attack does occur is investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access."
++
John Gallagher, Vice President of Viakoo Labs
"CISA chose a great theme with “Secure Our World”. The focus for anyone with network-connected IoT devices is on “Our” – meaning that IoT cybersecurity is a shared responsibility. Organizations can embrace the “Secure Our World” theme by creating an ongoing dialogue between the operators of IoT devices (the lines of business within a company) and organizations like procurement and IT who can help source IoT devices that are cyber secure and help maintain them.
It’s not “Secure Our Datacenter” or “Secure Our Computers” – it’s “Secure Our World”, which means organizations should be looking beyond computers and core applications to every network-connected device, such as IoT, and asking if that device has a plan and means to become and remain secure with the least human effort needed.
If I was to add one more word to this year's theme it would be “Automatically”. “Secure Our World Automatically” challenges organizations to improve the speed of security operations and relieve humans of tedious tasks like patching, rotating passwords, and screening for phishing attempts. Rapidly closing the window of opportunity that a threat actor can operate in is key to securing our scaled out, geographically sprawled attack surfaces of IT, IoT, OT, and ICS."
++
Kevin Paige, CISO of Uptycs
"Traditional training of watching computer based videos is not working. Watching a video on a topic you don’t understand, expecting someone to remember the content and apply it in the real world is not how people learn.
A better approach is to plug into the systems out there collecting individual security and risk telemetry. Use this data to give employees real time feedback, with risky and non-risky actions individuals have taken on a daily basis. Just like training a dog with positive and negative reinforcements, we can train humans based on real time actions/information. For instance, training should show what happens first hand when an employee clicks on a phishing email, types a password in an internet browser, opens a file share to the internet, or downloads a virus from an unsafe website.
When employees don’t download software from unapproved sources they should get positive feedback. If organizations can bundle this feedback and give employees a risk score, it will allow them to assess the overall risk posture of their company."
++
Joseph Carson, Chief Security Scientist and Advisory CISO, Delinea"Cybersecurity
Awareness Month serves as a reminder of the critical role that strong
passwords and password managers play in safeguarding our digital lives.
Weak passwords pose a significant risk as they can be easily exploited
by cyber criminals using well known hacking techniques. Reusing
passwords across different accounts further increases this
vulnerability, as a breach in one account could simply lead to a
compromise access in another account. Strong passwords are even better.
Using passphrases provides a strong defense by making passwords long and
strong, making them more difficult to correct. To effectively manage
this complexity of using multiple strong passwords, use a password
manager or of your business, consider using a Privileged Access
Management solution. These digital vaults offer secure solutions by
storing all the passwords in a central secure vault accessible only
through a single master password and improve it even further with
additional security controls such as Multi Factor Authentication.
In
today's interconnected world where digital threats are always present,
MFA offers an additional layer of defense against unauthorized access.
MFA goes beyond the traditional passwords by requiring users to provide
multiple forms of verification before gaining access to an account. This
can involve something that they know like a password, something that
they have like a smartphone or a security token, or something that they
are like a fingerprint or a facial scan. By combining these factors, MFA
significantly reduces the risk of unauthorized access, even if a
password is compromised.
Cybersecurity Awareness Month also serves
as a reminder of the ongoing threat posed by phishing attacks and the
importance of recognizing and reporting them. Phishing remains a
prevalent method used by cyber criminals to trick individuals into
revealing sensitive information or engaging in harmful actions.
Recognizing phishing attempts involves being vigilant about suspicious
emails, messages, or links that attempt to imitate a trusted source.
Cyber criminals often use urgent language, false claims, or deceptive
URLs to manipulate victims into taking action that compromise their
security. By educating ourselves and others about these tactics, we can
reduce the risk. Reporting phishing attempts is equally crucial. Many
organizations have established mechanisms for reporting suspicious
emails or incidents promptly. Reporting phishing attempts can also
reduce the risk and impact to business and help security teams take the
appropriate action and measures to protect individuals and the networks.
Finally, Cybersecurity Awareness Month underscores the critical
role of regularly updating and patching software to maintain a strong
digital defense. In an era where cyber threats are constantly evolving,
staying up to date with software is a fundamental and basic step to
safeguarding our digital lives. Software updates and patches often
include vital security fixes that address known vulnerabilities
discovered since the software's original release. Cyber criminals
frequently exploit these vulnerabilities to gain unauthorized access or
launch numerous cyber-attacks. By promptly applying updates and patches,
users close potentially entry points that attackers could exploit.
Neglecting software updates can have dire consequences, leaving systems
exposed to a range of cyber-attacks, including malware, ransomware, and
even data breaches. The proactive act of updating software safeguard
sensitive information, reduces the risk of compromising attacks and
helps maintain the integrity of both personal and business digital
landscapes."
++
Stephen Gorham, COO, OPSWAT
"Data breaches and cyberattacks loom over every organization's digital attack surface, and staying ahead of the curve has become not just a priority, but an absolute necessity. With the evolving threat landscape, it's crucial to adopt a proactive approach to cybersecurity that covers every facet of your network and operations – and Cybersecurity Awareness Month is a good reminder of that.
1. Visibility: "You Can't Protect What You Can't See"
The old adage holds true in the realm of cybersecurity - you can't protect what you can't see. It's imperative to have a clear understanding of what assets and devices are connected to your network – especially with many critical infrastructure organizations dealing with both IT and Operational Technology (OT). Without comprehensive visibility and asset management, you are essentially navigating in the dark, leaving your organization susceptible to vulnerabilities that you may not even be aware of.
2. Insider Threats & Employee Awareness: Cyber Espionage and Social Engineering
While external threats grab the headlines, insider threats often go unnoticed until it's too late. Cyber espionage and social engineering attacks can be devastating, with malicious actors exploiting the very people who are supposed to safeguard your organization. As critical infrastructure sectors are increasingly targeted by nation-state threat actors, employee awareness and training – combined with zero-trust security measures – are your first lines of defense against these insidious threats.
3. File-borne threats
Organizations heavily rely on web applications for sharing and transferring critical documents essential for daily operations. Yet, these productivity files, such as word processing documents, spreadsheets, or PDFs, can serve as attack vectors for cybercriminals. They may embed malware within these files and deliver malicious payloads to unsuspecting users. OPSWAT's 2023 State of Web Application Security Report underscores the significance of this threat, with data breaches topping the list of concerns (73%), and reputation damage (67%) and loss in business revenue (58%) not far behind.
4. Uplevel your threat intelligence
Threat actors are becoming increasingly sophisticated, leveraging malware as an initial foothold to infiltrate targeted infrastructure and execute their attacks. To combat these threats effectively, organizations must embrace actionable threat intelligence. This intelligence is garnered through advanced technologies and processes, including sandboxes, and advanced malware analysis. By staying one step ahead of threat actors, organizations can detect and respond to threats before they escalate into full-blown crises.
The cybersecurity landscape is evolving at an alarming pace, and organizations must adapt accordingly. Comprehensive visibility, employee awareness, proactive threat hunting and actionable threat intelligence are indispensable pillars of a robust cybersecurity strategy and just a few areas that organizations should keep in mind as they build their cybersecurity resilience."
++
Steve Stone, Head of Rubrik Zero Labs
"Artificial Intelligence, in particular generative AI (GAI), has dominated cybersecurity discussions in 2023. As we look at how we can think of this technology in the context of Cybersecurity Awareness Month, there's three topics worth our time.
First, GAI can demonstrably increase the capability and bandwidth of defense teams which are typically operating at beyond capacity. We should seek out the right types of automation and support GAI lends itself well to so we can then reinvest the precious few cycles we have in our defense experts. Let's provide those skilled practitioners the ability to leverage their capabilities in the most impactful ways and transition years of legacy workflow to increased automation delivered via GAI.
Second, what are the inevitable shifts in defense needed as threats pivot to using GAI as well. Traditionally, cybersecurity has leaned on attacker bottlenecks in our defensive posture. At a minimum, we used these bottlenecks to classify threat types based on resourcing and capability. GAI is undoubtedly going to shift these years-long expectations. If any attacker can quickly use GAI to overcome language limitations, coding gaps in knowledge, or quickly understand technical nuances in a victim environment, what do we need to do differently? We should work to be ahead of these pivots and find the new bottlenecks.
Third, GAI doesn't come with a zero cost to cybersecurity. Even if we move past using GAI, the presence of GAI leaves us with two new distinct data elements to secure. The first is the GAI model itself, which is nothing more than data and code. Second, the source material for a GAI model should be secured as well. If the model and underlying data are left undefended, we could lose these tools or have them leveraged against us in different ways all without our knowledge."
++
James Carder, CISO at Eptura
"In the spirit of Cybersecurity Awareness Month, business leaders must be mindful to secure their workplaces, whether that workplace is remote, in an office, or a hybrid model. Return-to-office (RTO) mandates have been gaining momentum post-Labor Day, signaling a shift in the way organizations approach work in a post-pandemic world. Three years after the onset of the pandemic, businesses are still grappling with security concerns as they navigate the challenge of securing employees working from various locations and devices. Despite the hesitations around mandated RTO, Eptura’s Q2 Workplace Index report found that the reality is that 79% of employees live within commuting distance of their workplace. A flexible work approach is emerging as the norm, with employees having the freedom to work from various locations. Business leaders need to recognize that this shift necessitates a comprehensive approach to cybersecurity that bridges the gap between physical and digital security.
One key consideration for business leaders is the adoption of a Zero Trust security model. Zero Trust ensures that only trusted identities (people, places, and assets, etc.) gain access to corporate resources and data, regardless of the employee's location. This approach is vital for preventing catastrophic breaches and security incidents that can occur as employees move between corporate offices, shared workspaces, and remote setups.
As employees work from diverse locations, securing both the digital and physical aspects of the workplace becomes crucial. Modern workplaces offer a variety of spaces for employees to choose from, and ensuring the safety of these spaces is paramount. Integrating physical and cybersecurity measures is essential, as attackers can exploit gaps in security when employees work from different locations. Additionally, the safety of employees is impacted by both the digital and physical aspects of the workplace, whether it is due to a cyber attack or operational outage. Smart, physical assets that operate a building have to be protected operationally, regardless of whether employees are in the building or not. By protecting facility management systems and implementing stringent access controls, businesses can enhance their overall security posture and protect both their employees and assets."
++
Rich Lilly, Director, PS Security, Netrix Global
Threat actors are leveraging LLMs to evolve attacks:
"We see attackers using Large Language Models like ChatGPT or other platforms and plug-ins that leverage these LLMs on the backend to initiate and monitor scans for open ports and other vulnerabilities that generally require manual labor. The LLMs enable attackers to read, adapt, and translate content much more quickly and efficiently, allowing them to pivot faster between different attacks.
Threat actors are also leveraging LLMs to help scan code for vulnerabilities. While in the past, it may have taken a developer team, coder or on the defense side a reverser, hours, or days to unpack or pack code, it is now done in a fraction of the time with LLMs evaluating how the code is written and finding workarounds for obfuscation.
Conducting surveillance of target systems, like port scanning, is another way that threat actors use LLMs to leverage information en masse or even partner with other repositories, systems, open-source tools or APIs to construct more sophisticated attacks."
How security teams are leveraging Generative AI:
"LLMs can help teams accelerate investigations by delivering clear, language-based guidance to help security teams respond with recommended actions or, in some cases, take steps based on detections. In the past, this process typically required additional vetting from a security analyst before taking action.
Organizations can leverage Generative AI to help shift from a response-initiated action approach with their SOCs and integrate capabilities like threat hunting, vulnerability management, and incident response plans, which were typically siloed processes conducted by different teams in the past. But by leveraging a common set of APIs, tools, or LLMs, organizations can access these data points in one fell swoop and even make references, look, and tag to service that data up into the specific instance that’s going on."
Tooling
"Every organization is like a snowflake - they all will be slightly different in their approach, methodology, and how it applies to the business. In years past, we saw customers taking a best-of-breed mindset, but I think we’ve seen a shift in customers realizing that best-of-breed doesn’t always mean best for the company mainly because the tools don’t integrate or talk well to each other, so it requires stitching a lot of these data points, instances, and other details together. This also creates overhead that customers are not always willing to invest in."
++
Adi Dubin, VP of Product Management at Skybox Security
"In 2022, the National Vulnerability Database (NVD) recorded an alarming surge in cybersecurity vulnerabilities, with a staggering 25,096 new vulnerabilities added. According to Skybox Security’s 2023 Vulnerability and Threat Trends Report, this marks the highest number of vulnerabilities ever reported in a single year and represented a substantial 25% increase from the 20,196 vulnerabilities recorded in 2021. This data underscores a concerning trend: vulnerabilities are not only on the rise but are also proliferating at an accelerating rate, making the landscape of cyber threats more challenging to navigate.
This year’s Cybersecurity Awareness Month focuses on the importance of ensuring online safety with ease. In the face of an escalating threat landscape, traditional security tools have fallen short, often creating unnecessary complexity. However, there is hope for organizations to proactively reduce risks and enhance operational efficiency. Organizations should focus on continually evaluating the accessibility, exposure, and exploitability of their digital and physical assets. To successfully adapt to this modern, risk-based paradigm, organizations should seek comprehensive solutions that consolidate cybersecurity functions, provide complete visibility into their attack surface, leverage various detection techniques, assess risks holistically, automate response processes, and collaborate with experienced cybersecurity experts."
++
Nils Gerhardt, Chief Technology Officer for Utimaco
"This Cybersecurity Awareness Month what cybersecurity professionals and the organizations that they work for need to know is how their efforts are being perceived by the people directly impacted by them. In addition to our groundbreaking work providing the root of trust for thousands of organisations around the world, we also strive to understand the social dynamics of cybersecurity.
What we have found through our annual Circles of Trust survey is that there is a very high level of trust in financial services companies, but trust in Internet of Things (IoT) technology – both in terms of security and its ability to improve society – is typically much lower. These are two sectors, that although very different, directly impact consumers and newer ways of hacking are impacting both arenas. Worldwide, 64% of survey respondents had either absolute or some trust in financial institutions, while only 24% could define the term ‘Internet of Things’ and 57% are worried about the security of their home devices. While it is true that there have been hacks of smart devices, these are still rare, and criminals are far more likely to take funds directly from their victims through traditional scams and fraud. This means that there is an opportunity for the $320 billion dollar IoT industry to learn how to improve their own security from their peers in finance and banking.
We know from working with IoT that, while the industry isn’t without unique challenges, security is typically very high. The issue is not that IoT hardware and software developers aren’t creating secure systems, but that it is much more difficult for the users of these systems to see and feel these security systems in action. Compare this to the typical bank user’s experience of using a banking app, where they will have to log in with PINs or biometrics and confirm payments. Many IoT devices are designed to operate invisibly, at least when security is concerned – the network of sensors that enable smart cities or even something as simple as a smart light bulb conduct all of their security operations in the background.
Our message to IoT companies would be to foreground security in your work. Of course, invest in the very latest technology, something we at Utimaco can provide, but also educate your end-users about how they can know that they are protected. Cybersecurity Awareness means more than awareness of the threats in your domain – it means an awareness of how end-users are experiencing security."
++
Carla Roncato, Vice President, Identity at WatchGuard Technologies
"As we observe the 20th anniversary of Cybersecurity Awareness Month, one thing is certain: attackers know that the easiest path to compromise an organization is through human error and social engineering. In fact, the human element is consistently ranked as one of the top factors driving breaches year after year. According to the Verizon 2023 Data Breach Investigations Report 74% of breaches involve the human element – which is why verifying access requests with multi-factor authentication (MFA) is a necessity for everyday protection. Password-only authentication is not just inadequate, it’s antiquated. The number of stolen credentials available for sale on the dark web surpassed 24 billion last year; for those keeping track, that’s three credentials per human on the planet. No one is immune. Sadly, the Dark Web Price Index shows stolen credentials can start as low as $1, with average prices only going up from there for a broad range of specific categories and options. Compared to the cost, disruption, and overall negative business impact of a data breach or ransomware attack, MFA is not only incredibly affordable but easily worth the effort to implement. #MFAeveryday."
++
Chris Wysopal, Chief Technology Officer, Veracode
"Each year, Cybersecurity Awareness Month marks an important reminder for businesses and consumers alike to step up their cyber safety game. This year, staying safe online is more crucial than ever. As connected devices take on more critical roles in homes and businesses every day, cybersecurity must be a top priority for individuals and consumers. In July, the White House announced the launch of a “U.S. Cyber Trust Mark.” as part of its voluntary labeling program for smart devices. The label indicates devices have unique and strong default passwords, data protection, software updates and incident detection. This was a step in the right direction to drive good behavior and help Americans more easily and securely select smart devices. Consumers are more likely to seek out smart devices that have the U.S. Cyber Trust Mark seal of approval.
But there’s still more work to be done. Cybersecurity is a true investment and must be viewed and treated as such by manufacturers and retailers to build long-term consumer trust."
++
Mandy Andress, CISO, Elastic
"This Cybersecurity Awareness Month is a great time to go back to the fundamentals of cybersecurity and make sure you have the basics right—from password awareness, multi-factor authentication, identity and access management, patching, and threat modeling.
From a corporate perspective, this also means focusing on the specific threats that target your organization, your tech stack, and your industry. From a CISO perspective, we need to be proactive in understanding what is coming and how to prevent it.
There are a few reasons we’re seeing some organizations overlook these fundamentals. One, it’s often regarded as boring—for many, cybersecurity is not the ‘fun’ part of innovation. Two, it takes time—organizations don’t have days to figure out who needs access to which files and credentials, so they are more likely to extend or fully open access to certain information. And finally, difficulty. We need to get to a place where we are secure by design and by default—where it’s easy to be secure—but that’s not the case quite yet.
As we look ahead to a period of lightning-fast innovation powered by generative AI, it will be essential for developers and IT leaders not to forget or skip any of these basic security hygiene steps."
++
Carolyn Duby, Field CTO & Cybersecurity GTM Lead at Cloudera
"One big consideration that is top of mind this month as we observe Cybersecurity Awareness Month, is that by embedding data privacy into the fabric of day-to-day business operations, organizations can minimize the chances of a costly data breach and achieve more streamlined compliance. Importantly, the right processes and data management technology should underpin this. In addition to reducing risk, properly secured and governed data can be shared and relied upon to help organizations drive competitive advantage."
++
Rehan Jalil, President & CEO at Securiti
"This year’s Cybersecurity Awareness Month focuses on the idea that ‘it's easy to stay safe online,’ reminding individuals that there are different methods to protect personal data from cyber threats across digital environments. Reinforcing your organization's cybersecurity foundation for corporate data has never been more crucial, yet many continue to find themselves with increasing silos that can disrupt the way sensitive data is handled.
Amidst the implementation of new technology – like generative AI – the escalating frequency of cyber breaches, the increasing complexities of multi-cloud environments, and the constantly evolving data privacy regulations, an advanced data security solution is critical to protecting the “crown jewels” - sensitive and personal data. Establishing an optimal security posture goes beyond firewalls, anti-malware and infrastructure protection - it must also have a data-centric lens. This requires a deep understanding of the entire data environment, data flow patterns, access governance policies, and configuration vulnerabilities.
Traditional discovery and classification tools are grappling to keep up with the explosive growth of data in the cloud, resulting in inconsistent data classification outcomes across architectures and teams. A holistic data security solution, with DSPM functionality, offers a strategic and efficient solution to address these concerns minimizing potential risks. It encompasses comprehensive discovery of data assets, including shadow and dark data assets, efficient identification and classification of sensitive data through machine learning and natural language processing, resolution of misconfigured data assets, and the provision of insights for secure data access policies.
As we are reminded of the critical need for data security, it is essential to reevaluate the security, compliance, governance, and privacy of sensitive data in tandem. By implementing a solution capable of comprehensive discovery of data assets, organizations can establish a resilient defense against escalating data threats in our increasingly digital age."
++
Jeff Johnson, Manager, Security Operations at MorganFranklin Consulting
"As a cybersecurity expert, I often advise individuals to establish two separate Wi-Fi networks in their homes: one for 'smart' devices and one for personal devices like laptops and PCs. The reason behind this recommendation is simple: 'smart' devices, especially those no longer supported by manufacturers or from companies that have ceased to exist, can pose security risks. These devices often lack security updates, making them vulnerable to cyber threats. By creating separate networks, you can effectively isolate these devices from your personal information on your PCs. The good news is that many modern routers support multiple networks, including a guest network, making it a relatively straightforward setup. This simple precaution can significantly enhance your home network's security, protecting your personal data and devices from potential vulnerabilities associated with 'smart' devices."
++
Bryson Bort, Faculty at IANS Research & CEO and Founder at SCYTHE
"Cybersecurity Awareness Month serves as a reminder to confront the hidden threats lurking in our digital world. While ghosts and zombies emerge in the spooky season, bad actors are ever-present, so it's important for enterprises to implement the below best practice:
Enterprise IoT and lateral movement: For enterprises, IoT introduces concerns beyond just privacy. Imagine digital zombies moving laterally within enterprises, pilfering data undetected. The solution starts with a first step policy. Stakeholders need to think about how they are controlling IoT and establishing policies as preventative and detective pieces. We must architect our systems with IoT security in mind to fend off cyber-zombies. This means implementing preventative and detective measures and avoiding blind spots."
++
Larry Whiteside Jr., CISO at RegScale
"Cybersecurity Awareness Month’s new evergreen theme "Secure Our World” is an excellent reminder that each and every one of us has an important role to play in protecting our world against cyber threats. Year over year, this unified and consistent message about cybersecurity awareness will re-instill the collaborative effort needed between individuals and organizations to keep our digital world safe.
Both broad and inclusive, "Secure Our World'' encompasses a wide range of cybersecurity concerns and responsibilities relevant to individuals and organizations of all sizes. To build a safer, more trusted technology driven world, there are some basic principles that every can follow to make themselves and those around them more safe:
- Use multifactor authentication wherever possible
- Use passphrases instead of passwords
- Never reuse a password and/or passphrase across multiple sites
- Don’t click on links in emails or texts that you are not expecting
- Financial institutions will never call you. If one does, hang up and call them back from a number you know or can verify from a website or credit card
These rudimentary, but important guidelines, can protect you and your family at school, home, and at work. And though it's not a complete list, it’s a starting point to move forward, safely."
++
Will Bass, Vice President of Cybersecurity Services at Flexential
"It’s unsurprising that the rise in AI tools is rapidly transforming the threat landscape. While we won’t see the full impact of AI on the cybersecurity space immediately, we’re already seeing these tools used to create more sophisticated social engineering attacks, which is a significant threat to organizations.
Social engineering attacks, such as phishing, are the most common initial compromise for cyber incidents as organizations’ biggest security weakness remains human fallibility. As AI tools become more sophisticated, cybercriminals will likely discover new attack vectors, putting organizations and their data increasingly at risk.
To prepare against these increasing threats, organizations must prepare for when defense-in-depth fails, and an attacker is inside the organization. Having a robust incident response (IR) strategy that includes not only protecting but also detecting, responding, and recovering from a cyber incident is critical for every organization.
An area we often see neglected is the ability to recover from a cyber incident, as backups alone are not enough. Organizations should prioritize proactively developing a robust disaster recovery (DR) strategy to keep their data and systems protected, as a cyber incident is the most likely reason a disaster is declared. By implementing a robust DR strategy, including regular environment testing and incorporating tools like DRaaS – organizations can create peace of mind that when they fall victim to a cyber-attack, they’re prepared to recover their systems and data quickly."
++
Grayson Milbourne, Security Intelligence Director, OpenText Cybersecurity
"It's time to start thinking about cybersecurity more like how we think about the flu season, and now covid season.
This means as a society we must take precautions to protect ourselves from the digital equivalent of illness.
Disruptions to our digital ecosystem can cause us pain and suffering. From lost files and photos, to lost access to an online account or the inability to find critical data at a time of need.
To minimize disruptions requires taking additional precautions and recognizing the risks. And it starts with improving cyber hygiene at home, including educating our kids.
We've been told time and time again about the value of washing our hands to avoid spreading germs. In today’s digital age, cybersecurity awareness is equally important.
It's a fast-moving digital world and it takes concerted efforts to keep up; failing to do so is increasingly costly."
++
Ed Williams, Trustwave SpiderLabs Director of EMEA
"While passwords might not appear as formidable as some other advanced security measures or tools, a carefully crafted password can truly be the decisive factor in determining whether your data or your organization's remains exposed or protected.
The conventional layered security approach is not always effective. Understanding the suitability for your specific environment, providing training for your organization, conducting parallel testing of new tools alongside your existing hardware and software, and possessing a tool capable of enforcing set policies are all crucial factors. No single tool can provide absolute protection against email attacks. Instead, an organization should establish a robust process, provide thorough training, and employ tools to ensure defense at multiple levels. Implement Multi-Factor Authentication (MFA/2FA) on all eligible accounts to thwart credential-based attacks. Microsoft's research revealed that 99% of compromised Microsoft accounts lacked MFA."
++
George Gerchow, CSO and SVP of IT, Sumo Logic
"A recent report revealed that just 52% of employees report cyberattacks, with nearly half of those employees citing "fear of repercussion" as the main driver behind keeping scams a secret. Fear should never be a reason for cyberattacks to run rampant in an organization. As we observe Cybersecurity Awareness Month, we should discuss the importance of creating an open and supportive environment for employees who fall victim to cyberattacks.
To achieve this, organizations need an approachable security team or SOC that encourages vulnerability and transparency. If an employee is phished or encounters a scam, they should feel comfortable consulting their security team and their requests for help or guidance should be welcomed. At the same time, employees must take an active role in supporting their organization's security by participating in cyber risk trainings and monitoring for potential scams. By having an approachable security team focused on inclusion, organizations can create a culture of hyper-security awareness, combined with a community dedicated to security collaboration to protect against today’s evolving threats."
##