With Cybersecurity Awareness Month in full swing, InfoSec and cybersecurity experts comment below on how individuals and organizations can better protect themselves online.
Bryson Bort, Faculty at IANS Research & CEO and Founder at SCYTHE:“Cybersecurity Awareness Month serves as a reminder to confront the hidden threats lurking in our digital world. While ghosts and zombies emerge in the spooky season, bad actors are ever-present, so it’s important for enterprises to implement the below best practice:Enterprise IoT and lateral movement: For enterprises, IoT introduces concerns beyond just privacy. Imagine digital zombies moving laterally within enterprises, pilfering data undetected. The solution starts with a first step policy.
Stakeholders need to think about how they are controlling IoT and establishing policies as preventative and detective pieces. We must architect our systems with IoT security in mind to fend off cyber-zombies. This means implementing preventative and detective measures and avoiding blind spots.”
Jessica Hebenstreit, Faculty at IANS Research & Director of Security Operations and Infrastructure at Eptura:“In my role overseeing cloud environments and incident response, I’m constantly immersed in cybersecurity, making Cybersecurity Awareness Month a topic I hold dear. However, I believe the traditional corporate may not resonate effectively with employees. By combining a personal touch with practical tools like password managers, you can foster a culture of cybersecurity awareness that extends beyond the workplace, enhancing overall online safety for your workforce.
Make it personal: Employees deeply care about their homes, families, and communities outside of work. To engage them in cybersecurity awareness, relate the topic to their personal lives. Show how security practices can protect their loved ones, homes, and the organizations they’re involved with beyond work. By making it personal, these habits will naturally transfer to the workplace, fostering a safer work environment.”
Ed Skoudis, Faculty at IANS Research, President at SANS Technology Institute, & Founder of Counter Hack:“I recommend a new nuance to passwords that isn’t often spoken about: adding spaces to passwords. To increase complexity, spaces can be added anywhere, but placing them at the end can be especially effective. Attackers often overlook them, causing login attempts to fail and potentially lock them out.”
Mike Rothman, Faculty at IANS Research & Chief Strategy Officer and GM of Techstrong Research:
“Avoid storing data on personal devices: A crucial but often overlooked practice is discouraging employees from storing work-related information on personal devices or using personal email accounts for work purposes. Encourage the use of cloud services provided by the organization for remote work. If these resources aren’t available, make it clear that circumventing controls by using personal devices isn’t an acceptable solution.”
Larry Whiteside Jr., CISO at RegScale:
“Cybersecurity Awareness Month’s new evergreen theme “Secure Our World” is an excellent reminder that each and every one of us has an important role to play in protecting our world against cyber threats. Year over year, this unified and consistent message about cybersecurity awareness will re-instill the collaborative effort needed between individuals and organizations to keep our digital world safe.
Both broad and inclusive, “Secure Our World” encompasses a wide range of cybersecurity concerns and responsibilities relevant to individuals and organizations of all sizes. To build a safer, more trusted technology driven world, there are some basic principles that every can follow to make themselves and those around them more safe:
- Use multifactor authentication wherever possible
- Use passphrases instead of passwords
- Never reuse a password and/or passphrase across multiple sites
- Don’t click on links in emails or texts that you are not expecting
- Financial institutions will never call you. If one does, hang up and call them back from a number you know or can verify from a website or credit card
These rudimentary, but important guidelines, can protect you and your family at school, home, and at work. And though it’s not a complete list, it’s a starting point to move forward, safely.”
Richard Caralli, Senior Cybersecurity Advisor, Axio:
“For 20 years, Cybersecurity Awareness Month has been raising awareness about the importance of cybersecurity, but creating a cyber-aware culture is only getting worse. Technology users are on the front line for cybersecurity, but this responsibility is not taken seriously either because it’s a lower priority (average consumers place preference on product features over security), or they don’t fundamentally understand it (cybersecurity technologies at the consumer level are not entirely intuitive).
There are approximately 12 million lines of code on a typical smartphone operating system, and on those devices, thousands of configurable settings that affect security and privacy. If an organization issues a device like an iPhone, they can centrally ensure the security and privacy settings fall in line with organizational policy. But, in an increasingly bring-your-own-device world, and especially for retail consumers, all bets are off.
With configurability being a key desirable feature of applications, users unfortunately put little effort into ensuring they are protected from not only attackers, but also from legitimate attempts to use their data in ways that may over-expose them. It isn’t sufficient to fall in line with the standard security recommendations anymore—such as implementing MFA. Users must initiate their own security and privacy review of the software and devices they use, instead of focusing only on configuring features and applications that are important to them.
Until fixed, consumers will continue to be a rich target—and attackers know it. To create a more cyber-aware culture, users should review all default settings on new software and devices and make changes as appropriate. And while not an easy task, several guides being produced—Consumer Reports, for example, publishes a Guide to Digital Security and Privacy—can help users configure important settings, or at least give them the option to decide on the balance between functionality and security/privacy.”
Jeff Reich, Executive Director, IDSA:
“So far, 2023 has shown us that all it takes is one compromised identity to have a huge effect on the targeted organization, the industry vertical, and society at large. And year after year, the IDSA’s research demonstrates that it takes more than a strong password to keep bad actors at bay. Today’s questions swirl around what it will take to stem the increasing onslaught of identity-related breaches. From the Least Privilege principle to Multi-Factor Authentication (MFA), routine access reviews, and Zero Trust, it will take parts of each of these, plus more, to address this problem.
The bigger question is, how do we get this done? Security, as part of a larger risk management program, is the answer. This year marks the 20th anniversary of Cybersecurity Awareness Month and the new theme is Secure Our World. This is appropriate because, as we have seen, the effects can and do shape events around the world. By continuing to better educate ourselves and raise awareness around this global issue, we will solve this problem.
The key is to better know the environments in which we operate, the associated risks, and ways to eliminate or lower the severity of the outcomes. This is incumbent upon each of us and all of us. The message is the same, although updated. Learn what you can do to protect yourself and help others. Security professionals: work to make systems more resilient and frictionless. For users of these systems: learn to use them and make them work for you.”
Irfan Shakeel, VP of Training and Certification Services, OPSWAT:
“Recent findings from Tessian’s Human Factor Report 2023 found that 88% of data breaches are caused by employee mistakes. This underscores the paramount importance of investing in our first line of cybersecurity defense: our workforce. Cybersecurity Awareness Month is not merely about social media posts or celebratory events; it is about educating employees, vendors, and all other stakeholders on cybersecurity best practices and other security policies. By doing so, we ensure that our primary defense doesn’t become our most significant vulnerability.
IT/OT convergence is not just a trend, but a necessity, driven by its transformative benefits such as streamlined operations, real-time data access, and data-driven decision-making. However, this integration also expands the attack surface, introducing new security challenges. As we observe Cybersecurity Awareness Month, it’s the perfect opportunity to bridge the gap between industrial teams and their IT counterparts. This month is ideal for hosting hands-on cybersecurity awareness training sessions and organizing engaging activities like cybersecurity scavenger hunts. By fostering collaboration and camaraderie, we can pave the way for a more cyber-resilient OT environment.”
Stephen Gorham, COO, OPSWAT:
“Data breaches and cyberattacks loom over every organization’s digital attack surface, and staying ahead of the curve has become not just a priority, but an absolute necessity. With the evolving threat landscape, it’s crucial to adopt a proactive approach to cybersecurity that covers every facet of your network and operations – and Cybersecurity Awareness Month is a good reminder of that.
1. Visibility: “You Can’t Protect What You Can’t See”
The old adage holds true in the realm of cybersecurity – you can’t protect what you can’t see. It’s imperative to have a clear understanding of what assets and devices are connected to your network – especially with many critical infrastructure organizations dealing with both IT and Operational Technology (OT). Without comprehensive visibility and asset management, you are essentially navigating in the dark, leaving your organization susceptible to vulnerabilities that you may not even be aware of.
2. Insider Threats & Employee Awareness: Cyber Espionage and Social Engineering
While external threats grab the headlines, insider threats often go unnoticed until it’s too late. Cyber espionage and social engineering attacks can be devastating, with malicious actors exploiting the very people who are supposed to safeguard your organization. As critical infrastructure sectors are increasingly targeted by nation-state threat actors, employee awareness and training – combined with zero-trust security measures – are your first lines of defense against these insidious threats.
3. File-borne threats
Organizations heavily rely on web applications for sharing and transferring critical documents essential for daily operations. Yet, these productivity files, such as word processing documents, spreadsheets, or PDFs, can serve as attack vectors for cybercriminals. They may embed malware within these files and deliver malicious payloads to unsuspecting users. OPSWAT’s 2023 State of Web Application Security Report underscores the significance of this threat, with data breaches topping the list of concerns (73%), and reputation damage (67%) and loss in business revenue (58%) not far behind.
4. Uplevel your threat intelligence
Threat actors are becoming increasingly sophisticated, leveraging malware as an initial foothold to infiltrate targeted infrastructure and execute their attacks. To combat these threats effectively, organizations must embrace actionable threat intelligence. This intelligence is garnered through advanced technologies and processes, including sandboxes, and advanced malware analysis. By staying one step ahead of threat actors, organizations can detect and respond to threats before they escalate into full-blown crises.
The cybersecurity landscape is evolving at an alarming pace, and organizations must adapt accordingly. Comprehensive visibility, employee awareness, proactive threat hunting and actionable threat intelligence are indispensable pillars of a robust cybersecurity strategy and just a few areas that organizations should keep in mind as they build their cybersecurity resilience.”
Ariel Parnes, COO and Co-Founder, Mitiga:
“As cybercrime moves to the cloud – as evidenced by recent exploits like Scattered Spider’s ransomware attack on MGM to Storm-0558’s attack targeting Microsoft exchange – there is a whole new level of cyber awareness that is needed from everyone in organizations. Awareness this Cybersecurity Awareness Month is especially important for enterprise leaders evolving their tech stacks and updating capabilities in order to manage risk and grow resilience. To effectively respond to this new breed of incidents—and fast—enterprise leaders need to:
- Understand the new and evolving threat landscape, and educate their team and peers
- Assume breach, but more importantly: assume cloud/SaaS breach
- Define SMART (Specific, Measurable, Attainable, Relevant, and Time-Bound) KPIs for cloud and SaaS breach readiness
- Build a plan to improve the KPIs through people, processes, and technology
- Exercise, exercise, exercise!
Especially in light of the SEC’s latest ruling requiring organizations to disclose a material breach within four days following its discovery, this undeniably necessitates organizations to rapidly evaluate the severity of an attack and ensure accurate and timely reporting—a process that demands swift investigation. But there’s an added dimension: potential adversaries might exploit this regulation, heightening pressure on the compromised entity by revealing (real or fake) details of the breach—as in the MGM attack. We have seen this in the past, and with the new regulations, we should expect to see it more. Organizations should prepare for these situations in a multi-layered approach, building, expanding, and exercising capabilities in: rapid investigation, negotiation, comms, and PR.”
