7 views on the important lessons of Cybersecurity Awareness Month
This month is National Cybersecurity Awareness Month, a time for organizations and individuals alike to think about their data, likely security threats and best practice defense strategies.
To help in that effort, Information Management spoke with several data security experts for their views on the meaning of this month’s observance, and what lessons organizations can put into practice to better protect themselves.
Cybersecurity awareness is an everyday job
“The perils of the internet continue to increase year after year, with cyberattacks becoming more frequent and more sophisticated. Large organizations, and even the federal government, have recently felt the sting of numerous attacks - illustrating the evolving and increasingly complex landscape we are living in.
“Cybersecurity Awareness Month is a great opportunity to raise awareness around the importance of taking cybersecurity measures to protect your business. While cybersecurity awareness month is only a month long, it is important to remember that cybersecurity awareness is an everyday job.”
- Lex Boost, chief executive officer, Leaseweb USA
IoT device security practices are front and center this month
“Securing Internet of Things (IoT) devices and data for business use cases is one of the hottest topics during Cyber Security Awareness Month this year. At its core, IoT represents a huge expansion of the network edge, with each deployment potentially covering wired broadband, public and private LTE, WiFi and LoRA WAN connectivity.
“In the not too distant future, we’ll see IoT deployments take advantage of 5G connectivity as well. The good thing is the industry and governments have started efforts to better define the inherent security controls and best practices that will help, over time, improve the overall security of IoT deployments. But that will take some time to gain mass adoption in the market.
“IoT devices and routers are a major source of attacks for cybercriminals and nation state attackers. According to Symantec, in 2018, 75 percent of botnets were router focused. IoT security can be daunting for many businesses, and there are a number of important areas that everyone who has deployed or is considering deploying IoT applications should consider.
“Devices typically do not have layered security features or secure software development and patching models integrated with their solutions. On top of that, many IoT devices cannot be accessed, managed, or monitored like conventional IT devices. Depending on the use case and vendor, there can be numerous OS, management and API-level interfaces and capabilities to manage.”
- Todd Kelly, chief security officer, Cradlepoint
Cyberattacks continue to grow in frequency and intensity
“Recent cyberattacks on major companies such as Sprint, Capital One and Experian continue to show how the threat landscape is complex and sophisticated. In fact, the US Signal 2019 State of Web and DDoS Attacks survey revealed that 83 percent of organizations have experienced a cyberattack within the last two years and 30 percent said that it caused approximately 20 hours of downtime.
“On the 16th anniversary of National Cyber Security Awareness Month, it’s important to think about how your organization can work to prevent and mitigate cyberattacks. Many organizations are turning to managed service providers to help implement, monitor and maintain a mixture of cybersecurity technologies, including cloud-based firewalls, DDoS protection and email security. In addition, 97 percent of participating organizations scan and test for vulnerabilities within their web applications.
“The recent number of organizations that are experiencing cyberattacks is jarring. The survey brings to light that there is always room for improvement in keeping up with modern cyberthreats. National Cyber Security Awareness Month is a great opportunity to remind companies of the need for more robust security tools and managed services to help resource-strapped technical teams year round.”
- Trevor Bidle, vice president of information security and compliance officer, US Signal
The lessons of Cybersecurity Awareness Month should be applied all year
“Ransomware has become an increasingly concerning issue for individuals and businesses alike, especially in the last few years. And, as the volume of data increases, so will the frequency and intensity of attacks. In fact, ransomware attacks increased by 118 percent across all industries in the first quarter of 2019, according to a recent McAfee report. These kinds of brazen, disruptive attacks on IT infrastructure shows why events, such as the upcoming National Cybersecurity Awareness Month, are vital to promote better protecting mission-critical data against ransomware.
"There are simple steps and actions you can take to protect your business, personal information and assets from attacks. For example, implement a data protection, disaster recovery and business continuity strategy, utilizing a fully integrated anti-ransomware defense powered by machine learning models, proactively detecting and preventing ransomware attacks before they occur.”
“While National Cybersecurity Awareness Month is only a month-long, cybersecurity vigilance and strategies such as these should be implemented all year-round.”
- Alan Conboy, Office of the chief technology officer, Scale Computing
Behavior analytics can aid in spotting hackers and attackers
“Almost all of the huge breaches we read about in the news involve attackers leveraging stolen user credentials to gain access to sensitive corporate data. This presents a significant problem for security teams. After all, an attacker with valid credentials looks just like a regular user.
“Identifying changes in the behavior of these credentials is the key to successfully uncovering an attack. But in an age of alert overload, security teams are often overwhelmed and can struggle to make sense of the data in front of them.
“Applying User and Entity Behaviour Analytics (UEBA) to the data already collected within most organizations can help security teams connect the dots and provide a useful profile of network user activity. By connecting the dots and creating a map of a user’s activities, even when the identity components are not explicitly linked, security teams can create baselines of normal behavior for every user on the network. This makes it easier to identify when a user’s activity requires further investigation. It may not stop you being breached, but it will tell you about it before the damage is done.”
- Steve Gailey, head of solutions architecture, Exabeam
A strong defense strategy depends on the right culture and tools
"Cyber threats such as ransomware can be a huge threat to businesses, and even just a single employee clicking a malicious link in their emails will mean a ransom must be paid for all business data encrypted. Cyber-criminals often exploit vulnerabilities in employee emails, so it is crucial to have the right cyber-defenses in place to avoid a disaster where customer data, and a lot of money, could be at risk.
“Having an extensive tiered security model and instilling a strong cyber-security-aware culture across all employees will help minimize risk. But, the attack itself is only half of the problem because, without sufficient recovery tools, the resulting outage will cause loss of data and money, as well as reputational harm.
“In the event of any disaster, businesses should utilize tools that allow them to roll back and recover all of their systems to a point in time just before an attack. This level of disaster recovery is paramount, as employee emails continue to exist at the core of most businesses, they remain a standing target for ever-sophisticated cybercriminals."
- Avi Raichel, chief information officer, Zerto
Everyone should own IT, secure IT and protect IT
“This National Cyber Security Awareness Month, it’s important for individuals to own IT, secure IT, protect IT -- in both their personal lives and at work.
“For consumers, only purchase online from well-known stores. Stores like Amazon, eBay, Walmart and Nordstrom spend a lot of money and resources to make sure your data is safe. Just because a store uses encryption does not mean that once they have your data that it is kept secure. Avoid smaller unknown sites that may or may not have the proper level of security for your data.
“Larger established companies also usually have a well-defined process for disputing purchases that may be fraud. Keep an eye on your credit card statements for unauthorized charges, even at stores you normally shop at.
“Use multi-factor authentication when possible. If a website or app allows for multi-factor authentication, the hassle is worth the extra level of security. This is usually in the form of a code that comes to your registered phone or email address.
“Keep social media content private. Unless you are a movie star, or these days a YouTube star, you should be careful about what personal data you post on social media. This is a common way that celebrities get hacked as passwords are often derived from pet’s names, favorite foods, or other personal information. Public personal data also increases your risk for identity theft.
“These are key considerations we all need to make this month--and every day--to keep our data, and in turn, our employers’ data, safe.”
- Harold Sasaki, senior director, IT and TechOps, WhiteHat Security