With Cybersecurity Awareness Month well underway, even more experts are weighing in on this important topic.
Jason Dettbarn, Founder & CEO, Addigy (https://addigy.com/):
“Cybersecurity has moved from an afterthought to one of the more important decisions in the boardroom, as executives have come to understand the potential scale and impact of attacks. Breaches don’t just cost money – they can debilitate a company.
“IT leaders need to ensure they are leveraging the right security processes and tools to maintain compliance vigilance, which includes a layered approach to OS Patching, Application Patching, adhering to Compliance Frameworks, and End-User Authentication Management. The speed and impact of Zero Day vulnerabilities highlight the importance of applying these patches throughout an organization’s entire fleet of devices in a timely fashion. National Cybersecurity Awareness Month serves as a good reminder of this.”
Carl D’Halluin, CTO, Datadobi (www.datadobi.com):
“Cybersecurity Awareness Month is a critical reminder that effective cybersecurity isn’t solely about building higher walls against external threats. It’s equally about understanding and managing the data you already hold within those walls. Illegal and orphaned data are prime examples of internal vulnerabilities that often go overlooked.
“The risks of harboring illegal data are multi-faceted, spanning potential legal issues, reputational harm, and increased susceptibility to network compromise due to embedded malware. Orphaned data, often accumulating unnoticed due to employee turnover, can pose governance and compliance risks.
“This month-long focus is not just an opportunity but a necessity for organizations to deepen their commitment to employing the necessary methodologies and technologies that enable effective internal data governance and oversight. A proactive, inside-out approach to cybersecurity has never been more crucial.”
Don Boxley, CEO and Co-Founder, DH2i (www.dh2i.com):
“Today, cyber threats are escalating into full-blown crises – making Cybersecurity Awareness Month more than just a gentle reminder, but a stark warning that we must urgently overhaul our digital defenses. Gone are the days when established security measures like VPNs sufficed. Hackers are continually advancing, rendering traditional methods increasingly obsolete. Proactive security isn’t an option; it’s an absolute necessity if organizations want to survive into the future.
“Software-Defined Perimeters (SDPs) are rapidly gaining prominence as an innovative and intelligent alternative to VPNs.They address and eliminate many traditional VPN vulnerabilities, such as susceptibility to lateral network attacks that could compromise sensitive organizational assets. SDPs simplify the secure connection of network assets across diverse infrastructures—from on-premises to hybrid and multi-cloud setups—and closely align with Zero Trust Network Access (ZTNA) principles. By adhering to the Zero Trust tenet of “never trust, always verify,” SDPs offer stringent security controls at the application level. This ensures that resources like servers, storage units, applications, IoT devices, and users gain access only to the specific data endpoints required for their tasks, thereby eliminating potential vulnerabilities such as lateral movement paths that attackers could exploit.
“Let us heed National Cybersecurity Awareness Month as an urgent call to action for adopting next-generation solutions like SDPs and Zero Trust principles. In doing so, we will be equipping organizations and individuals with the robust defenses needed to outpace ever-advancing cyber threats.”
Seth Blank, CTO, Valimail (https://www.valimail.com/):
“October may conjure images of falling leaves and Halloween festivities, but it’s also Cybersecurity Awareness Month—a crucial period that calls for our attention on the increasing threats in the digital landscape. Among these threats, one that’s often pushed to the background but deserves center stage is email security.
“Email is the battleground where some of the most sophisticated social engineering attacks, like spear-phishing and whaling, are waged. These attacks exploit human psychology, leveraging the absence of the usual cues we rely on to assess trust—no facial expressions, no tone of voice, just cold text on a screen. You’re probably been inundated with the same stats again and again, like the fact that 91% of all cyberattacks start with phishing. Or that the FBI has reported $50 billion—with a b—in losses due to business email compromise (BEC). And due to that inundation, it’s easy for some to look at email as an old problem. But those stats show the problem is not just as bad as it’s ever been; it’s getting worse. Much, much worse.
“The bottom line is that even if the stats have become easy to ignore—the problem is real, and one misstep can wreak havoc. This Cybersecurity Awareness Month, don’t just scroll past the warnings—take them to heart. Beef up your email security, or get ready for a world of hurt. The ball is in your court, and it’s ticking.”
Grayson Milbourne, Security Intelligence Director, OpenText Cybersecurity
“It’s time to start thinking about cybersecurity more like how we think about the flu season, and now covid season.
“This means as a society we must take precautions to protect ourselves from the digital equivalent of illness.
“Disruptions to our digital ecosystem can cause us pain and suffering. From lost files and photos, to lost access to an online account or the inability to find critical data at a time of need.
“To minimize disruptions requires taking additional precautions and recognizing the risks. And it starts with improving cyber hygiene at home, including educating our kids.
“We’ve been told time and time again about the value of washing our hands to avoid spreading germs. In today’s digital age, cybersecurity awareness is equally important.
“It’s a fast-moving digital world and it takes concerted efforts to keep up; failing to do so is increasingly costly.”
Troy Gill, Senior Manager of Threat Research, OpenText Cybersecurity
“Business Email Compromise (BEC) attacks can cost businesses millions of dollars in losses. While prevention and detection of these attacks cannot be understated, there is also a low-tech and FREE method to disrupting these attacks – cybersecurity awareness.
“With the benefit of hindsight, it is easy to see in many cases losses could have been prevented by simply picking up the phone. We’ve heard several accounts of unsuspecting victims, thinking they were communicating with someone they legitimately transact with, yet they were actually receiving an email from an attacker (that had access to the legitimate person’s email account). Email requests, sent by the attacker, frequently advised the unsuspecting victims of a change in account numbers for invoices or upcoming wire transfers. The (attacker sent) requests were fulfilled and large sum amounts sent to the attacker-controlled accounts. In almost all these scenarios, losses could have been avoided by simply calling the perceived sender of the email and confirming over the phone the account/routing change; this goes for internal communications as well. Because it is not a matter of if your organization will encounter a BEC, but when; finance teams need to talk about BEC attacks and put simple yet effective policies in place that will at the very least make successful BEC attacks more difficult for threat actors.”
Christopher Cain, Manager, Threat Research, OpenText Cybersecurity
“One of the biggest misconceptions about cyber-attacks among employees is a resignation or fear that attacks are inevitable, especially when we continually see headlines reporting on giants, like MGM, falling victim. The truth is only a select few cyber-attacks are technically complex and even those typically rely on some amount of human error. While there is no one ‘simple trick’ that we can teach employees, ongoing education through security awareness training, a little common sense, and even a healthy dose of paranoia can make a world of difference. If everyone took the time to be cautious about things like emails, passwords, typos and access, many attacks could be avoided. It’s the basics that we continually forget – Inspect email headers, never clicking on links in emails or opening attachments unless you’re certain they are safe. And of course, keep passwords complex and updated even for personal accounts and whenever possible enroll in multi-factor authentication. Lastly, avoid overthinking and simply take responsibility for what you can control.”
Rehan Jalil, President & CEO at Securiti
“This year’s Cybersecurity Awareness Month focuses on the idea that ‘it’s easy to stay safe online,’ reminding individuals that there are different methods to protect personal data from cyber threats across digital environments. Reinforcing your organization’s cybersecurity foundation for corporate data has never been more crucial, yet many continue to find themselves with increasing silos that can disrupt the way sensitive data is handled.
“Amidst the implementation of new technology – like generative AI – the escalating frequency of cyber breaches, the increasing complexities of multi-cloud environments, and the constantly evolving data privacy regulations, an advanced data security solution is critical to protecting the “crown jewels” – sensitive and personal data. Establishing an optimal security posture goes beyond firewalls, anti-malware and infrastructure protection – it must also have a data-centric lens. This requires a deep understanding of the entire data environment, data flow patterns, access governance policies, and configuration vulnerabilities.
“Traditional discovery and classification tools are grappling to keep up with the explosive growth of data in the cloud, resulting in inconsistent data classification outcomes across architectures and teams. A holistic data security solution, with DSPM functionality, offers a strategic and efficient solution to address these concerns minimizing potential risks. It encompasses comprehensive discovery of data assets, including shadow and dark data assets, efficient identification and classification of sensitive data through machine learning and natural language processing, resolution of misconfigured data assets, and the provision of insights for secure data access policies.
“As we are reminded of the critical need for data security, it is essential to reevaluate the security, compliance, governance, and privacy of sensitive data in tandem. By implementing a solution capable of comprehensive discovery of data assets, organizations can establish a resilient defense against escalating data threats in our increasingly digital age.”
Adi Dubin, VP of Product Management at Skybox Security
“In 2022, the National Vulnerability Database (NVD) recorded an alarming surge in cybersecurity vulnerabilities, with a staggering 25,096 new vulnerabilities added. According to Skybox Security’s 2023 Vulnerability and Threat Trends Report, this marks the highest number of vulnerabilities ever reported in a single year and represented a substantial 25% increase from the 20,196 vulnerabilities recorded in 2021. This data underscores a concerning trend: vulnerabilities are not only on the rise but are also proliferating at an accelerating rate, making the landscape of cyber threats more challenging to navigate.
“This year’s Cybersecurity Awareness Month focuses on the importance of ensuring online safety with ease. In the face of an escalating threat landscape, traditional security tools have fallen short, often creating unnecessary complexity. However, there is hope for organizations to proactively reduce risks and enhance operational efficiency. Organizations should focus on continually evaluating the accessibility, exposure, and exploitability of their digital and physical assets. To successfully adapt to this modern, risk-based paradigm, organizations should seek comprehensive solutions that consolidate cybersecurity functions, provide complete visibility into their attack surface, leverage various detection techniques, assess risks holistically, automate response processes, and collaborate with experienced cybersecurity experts.”
Richard Caralli, Senior Cybersecurity Advisor, Axio:
“For 20 years, Cybersecurity Awareness Month has been raising awareness about the importance of cybersecurity, but creating a cyber-aware culture is only getting worse. Technology users are on the front line for cybersecurity, but this responsibility is not taken seriously either because it’s a lower priority (average consumers place preference on product features over security), or they don’t fundamentally understand it (cybersecurity technologies at the consumer level are not entirely intuitive).There are approximately 12 million lines of code on a typical smartphone operating system, and on those devices, thousands of configurable settings that affect security and privacy. If an organization issues a device like an iPhone, they can centrally ensure the security and privacy settings fall in line with organizational policy. But, in an increasingly bring-your-own-device world, and especially for retail consumers, all bets are off. With configurability being a key desirable feature of applications, users unfortunately put little effort into ensuring they are protected from not only attackers, but also from legitimate attempts to use their data in ways that may over-expose them. It isn’t sufficient to fall in line with the standard security recommendations anymore—such as implementing MFA. Users must initiate their own security and privacy review of the software and devices they use, instead of focusing only on configuring features and applications that are important to them. Until fixed, consumers will continue to be a rich target—and attackers know it. To create a more cyber-aware culture, users should review all default settings on new software and devices and make changes as appropriate. And while not an easy task, several guides being produced—Consumer Reports, for example, publishes a Guide to Digital Security and Privacy—can help users configure important settings, or at least give them the option to decide on the balance between functionality and security/privacy.”
Jeff Reich, Executive Director, IDSA:
“So far, 2023 has shown us that all it takes is one compromised identity to have a huge effect on the targeted organization, the industry vertical, and society at large. And year after year, the IDSA’s research demonstrates that it takes more than a strong password to keep bad actors at bay. Today’s questions swirl around what it will take to stem the increasing onslaught of identity-related breaches. From the Least Privilege principle to Multi-Factor Authentication (MFA), routine access reviews, and Zero Trust, it will take parts of each of these, plus more, to address this problem.The bigger question is, how do we get this done? Security, as part of a larger risk management program, is the answer. This year marks the 20th anniversary of Cybersecurity Awareness Month and the new theme is Secure Our World. This is appropriate because, as we have seen, the effects can and do shape events around the world. By continuing to better educate ourselves and raise awareness around this global issue, we will solve this problem.The key is to better know the environments in which we operate, the associated risks, and ways to eliminate or lower the severity of the outcomes. This is incumbent upon each of us and all of us. The message is the same, although updated. Learn what you can do to protect yourself and help others. Security professionals: work to make systems more resilient and frictionless. For users of these systems: learn to use them and make them work for you.”
Irfan Shakeel, VP of Training and Certification Services, OPSWAT:
“Recent findings from Tessian’s Human Factor Report 2023 found that 88% of data breaches are caused by employee mistakes. This underscores the paramount importance of investing in our first line of cybersecurity defense: our workforce. Cybersecurity Awareness Month is not merely about social media posts or celebratory events; it is about educating employees, vendors, and all other stakeholders on cybersecurity best practices and other security policies. By doing so, we ensure that our primary defense doesn’t become our most significant vulnerability.
IT/OT convergence is not just a trend, but a necessity, driven by its transformative benefits such as streamlined operations, real-time data access, and data-driven decision-making. However, this integration also expands the attack surface, introducing new security challenges. As we observe Cybersecurity Awareness Month, it’s the perfect opportunity to bridge the gap between industrial teams and their IT counterparts. This month is ideal for hosting hands-on cybersecurity awareness training sessions and organizing engaging activities like cybersecurity scavenger hunts. By fostering collaboration and camaraderie, we can pave the way for a more cyber-resilient OT environment.”
Stephen Gorham, COO, OPSWAT:
“Data breaches and cyberattacks loom over every organization’s digital attack surface, and staying ahead of the curve has become not just a priority, but an absolute necessity. With the evolving threat landscape, it’s crucial to adopt a proactive approach to cybersecurity that covers every facet of your network and operations – and Cybersecurity Awareness Month is a good reminder of that.
1. Visibility: “You Can’t Protect What You Can’t See”
The old adage holds true in the realm of cybersecurity – you can’t protect what you can’t see. It’s imperative to have a clear understanding of what assets and devices are connected to your network – especially with many critical infrastructure organizations dealing with both IT and Operational Technology (OT). Without comprehensive visibility and asset management, you are essentially navigating in the dark, leaving your organization susceptible to vulnerabilities that you may not even be aware of.
2. Insider Threats & Employee Awareness: Cyber Espionage and Social Engineering
While external threats grab the headlines, insider threats often go unnoticed until it’s too late. Cyber espionage and social engineering attacks can be devastating, with malicious actors exploiting the very people who are supposed to safeguard your organization. As critical infrastructure sectors are increasingly targeted by nation-state threat actors, employee awareness and training – combined with zero-trust security measures – are your first lines of defense against these insidious threats.
3. File-borne threats
Organizations heavily rely on web applications for sharing and transferring critical documents essential for daily operations. Yet, these productivity files, such as word processing documents, spreadsheets, or PDFs, can serve as attack vectors for cybercriminals. They may embed malware within these files and deliver malicious payloads to unsuspecting users. OPSWAT’s 2023 State of Web Application Security Report underscores the significance of this threat, with data breaches topping the list of concerns (73%), and reputation damage (67%) and loss in business revenue (58%) not far behind.
4. Uplevel your threat intelligence
Threat actors are becoming increasingly sophisticated, leveraging malware as an initial foothold to infiltrate targeted infrastructure and execute their attacks. To combat these threats effectively, organizations must embrace actionable threat intelligence. This intelligence is garnered through advanced technologies and processes, including sandboxes, and advanced malware analysis. By staying one step ahead of threat actors, organizations can detect and respond to threats before they escalate into full-blown crises.
“The cybersecurity landscape is evolving at an alarming pace, and organizations must adapt accordingly. Comprehensive visibility, employee awareness, proactive threat hunting and actionable threat intelligence are indispensable pillars of a robust cybersecurity strategy and just a few areas that organizations should keep in mind as they build their cybersecurity resilience.”
Ariel Parnes, COO and Co-Founder, Mitiga:
“As cybercrime moves to the cloud – as evidenced by recent exploits like Scattered Spider’s ransomware attack on MGM to Storm-0558’s attack targeting Microsoft exchange – there is a whole new level of cyber awareness that is needed from everyone in organizations. Awareness this Cybersecurity Awareness Month is especially important for enterprise leaders evolving their tech stacks and updating capabilities in order to manage risk and grow resilience. To effectively respond to this new breed of incidents—and fast—enterprise leaders need to:
- Understand the new and evolving threat landscape, and educate their team and peers
- Assume breach, but more importantly: assume cloud/SaaS breach
- Define SMART (Specific, Measurable, Attainable, Relevant, and Time-Bound) KPIs for cloud and SaaS breach readiness
- Build a plan to improve the KPIs through people, processes, and technology
- Exercise, exercise, exercise!
“Especially in light of the SEC’s latest ruling requiring organizations to disclose a material breach within four days following its discovery, this undeniably necessitates organizations to rapidly evaluate the severity of an attack and ensure accurate and timely reporting—a process that demands swift investigation. But there’s an added dimension: potential adversaries might exploit this regulation, heightening pressure on the compromised entity by revealing (real or fake) details of the breach—as in the MGM attack. We have seen this in the past, and with the new regulations, we should expect to see it more. Organizations should prepare for these situations in a multi-layered approach, building, expanding, and exercising capabilities in: rapid investigation, negotiation, comms, and PR.”
More comments here:
https://drj.com/industry_news/experts-discuss-cybersecurity-awareness-month/