Updated 10.25.22. Industry professionals have provided their thoughts on various aspects of cybersecurity in honor of Cybersecurity Awareness Month. We'll continue to update this discussion throughout October.
Cybersecurity Awareness Month: observations and counsel from industry leaders.
The start of October marked the beginning of Cybersecurity Awareness Month. Industry leaders have commented on various aspects of cybersecurity for this month, and we’ve rounded up a few of their comments.
First, consider the threat.
Sagi Berco, VP of R&D at NanoLock Security, wrote about the range of threats and the varied motivations of threat actors:
“If you think your organization is safe, think again. Though hackers’ motivations can include financial or geopolitical gain, personal grudges, or amusement, many opportunistic hackers don’t need a reason; they just need an opening or an excuse. Even social media commentary on current events could prompt an attack, as we’ve seen that individuals speaking out against Russia’s actions in Ukraine is enough to invite a ransomware attack on their company. So, whether you're a large enterprise, a small company, or a private person - you're at risk of a cyber-attack.”
Pervasive ransomware makes complacency a non-starter.
Ian McShane, Vice President of Strategy at Arctic Wolf, believes that ransomware is pervasive and will continue to affect organizations worldwide: “With ransomware and extortion dominating security incidents worldwide, businesses can no longer afford to be complacent. Leaders must focus on getting the fundamentals of cybersecurity in place.
"Without well considered and fully deployed security measures in place, an attack can have far-reaching consequences for the businesses affected-including economic losses, compromised IT systems, and reputational damage. As we have seen with recent attacks on critical services such as the NHS, cyber criminals do not discriminate against the type of organisations they choose to attack. This means businesses of any size can become a prime target for attackers looking to cause maximum disruption.
"Most people will be familiar with “the 5 p’s of success’ and this is just as relevant in cybersecurity and IT. Business leaders must help their organizations understand how to respond in the event of an attack or security incident. Planning and practicing how the response *should* work and who makes critical decisions, can be the difference between an attack and an expensive breach. Start with determining the true extent of the damage. Which services have been affected, and what recovery options are available. This will allow leaders to develop a coherent strategy for dealing with ransomware, ensuring any attacks remain a one-time affair.”
Brian Dunagan, vice president of engineering at Retrospect, a StorCentric Company, also drew attention to ransomware as one of the principal security challenges organizations face:
“CyberSecurity Awareness Month is a great reminder that we must remain vigilant and always be thinking about how to handle the next wave of cyberattacks. While external bad actors, ransomware and other malware, are the most common threats, malicious or even careless employee actions can also present cybersecurity risks. In other words, it is virtually a given that at some point most will suffer a failure, disaster or cyberattack. However, given the world’s economic and political climate, the customers I speak with are most concerned about their ability to detect and recover from a malicious ransomware attack.
"My advice to these customers is that beyond protection, organizations must be able to detect ransomware as early as possible to stop the threat and ensure their ability to remediate and recover. A backup solution that includes anomaly detection to identify changes in an environment that warrants the attention of IT is a must. Administrators must be able to tailor anomaly detection to their business’s specific systems and workflows, with capabilities such as customizable filtering and thresholds for each of their backup policies. And, those anomalies must be immediately reported to management, as well as aggregated for future ML/analyzing purposes.
"The next step after detecting the anomaly is providing the ability to recover in the event of a successful ransomware attack. This is best accomplished with an immutable backup copy of data (i.e., object locking) which makes certain that the data backup cannot be altered or changed in any way.”
Aaron Sandeen, CEO and co-founder, Cyber Security Works, warned that ransomware operators show no signs of letting up, and that proactive defense is the right approach to take to this threat:
"Ransomware and other cyberattacks have been used in a variety of ways throughout the year, underscoring the attackers' growing technological sophistication and the threat to businesses throughout the globe. Seemingly enough, cyber-attacking groups are typically successful when they are one step ahead and can exploit system flaws. This Cybersecurity Awareness month, IT leaders must challenge themselves to expand their cybersecurity visibility of known and unknown assets.
"The way for corporations to prevent cyberattacks is through proactive defense. There are already 13 CISA-known exploitable vulnerabilities that need patching by the end of October 2022. One of the steps that businesses can take to avert disaster is to patch the vulnerabilities that threat groups and attackers exploit. Understanding how vulnerable you are to ransomware attacks and monitoring your security posture through continual vulnerability management and proactive penetration testing is essential to fortifying your defenses, especially when new hacking organizations arise."
Why develop zero-days when social engineering works so well?
David Richardson, VP of Product Management at Lookout, discusses the importance of recognizing and reporting phishing attacks: “For nearly 20 years, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have recognized October as Cybersecurity Awareness Month. This observance is a collaborative effort between the public and private sector to draw attention to the dangers of cyberattacks that threaten individual consumers, businesses, government agencies and our critical infrastructure and essential services. This year’s chosen theme – “See Yourself in Cyber” – underscores the role that everyone plays in improving cybersecurity practices.
"As part of this theme, CISA and NCA recommend several key actions individuals can take to protect their online information and privacy. One of these steps – recognize and report phishing – is perhaps one of the most powerful tactics we have to combat bad actors. Most cyberattacks or data breaches start with phishing, and the number of phishing attempts continues to rise each year. According to Lookout data, exposure to phishing increased 127% between Q4 2020 to Q1 2021. When phishing is used to steal login credentials, it opens up a world of possibilities for the cybercriminals, and a world of hurt for the impacted individual or business. With one set of credentials, bad actors can then try to log in to a number of common cloud-based services such as Office 365, Google Workspace, AWS, Salesforce, etc. Once they’ve successfully logged in to one of these accounts, they can move laterally within an organization and find highly sensitive and valuable information to either encrypt for ransom or exfiltrate to sell on the dark web. Same is true for individual consumers, especially since it’s so common for people to use the same passwords across multiple accounts.
"Phishing attacks have continued to evolve in techniques and sophistication, but the basic approach of trying to create a sense of urgency or impersonating a figure of trust or authority has remained pretty constant. When contacted in this manner, it’s important to take a step back, evaluate the situation and find alternative ways to validate the request. It’s also critical for organizations to implement proper security controls across mobile devices, cloud services and on-prem and private apps, and to enforce Zero Trust across the infrastructure.”
SlashNext CEO Patrick Harr also discusses phishing attacks, noting the importance of understanding phishing threats so that companies and individuals can defend themselves: “We have seen phishing grow from targeted email attacks into a widespread multi-channel problem that has become the top security threat for both organizations and individuals,” Harr said. “In a phishing attack, the bad guys use emails, social media posts, or direct messages to trick people into clicking on a bad link or downloading a malicious attachment. When a phishing attack succeeds, the cybercriminals capture private data and personal information, or they may even install malware directly onto the device to facilitate ongoing attacks.
“These phishing attacks keep evolving with ever-more sophisticated techniques to hack humans, such as through rogue browser extensions, social engineering ploys, and malicious webpages hidden on legitimate infrastructure. In fact, 50,000 new spear-phishing sites go online every day, with many appearing on legitimate infrastructure such as Adobe.com or Dropbox.com. We have also seen a big increase in cyber threats hosted on legitimate Microsoft services that deliver phishing campaigns through Microsoft Teams, OneDrive, SharePoint, and OneNote.
“The best defense to protect against phishing is to remain aware of the problem. It is critical for users to pause for a few seconds to consider the legitimacy of any email or text message before clicking on a link or downloading an attachment. Here are some helpful questions to ask yourself, provided by the National Cybersecurity Alliance:
- “Does it contain an offer that’s too good to be true?
- “Does it include language that’s urgent, alarming, or threatening?
- “Is it poorly crafted writing riddled with misspellings and bad grammar?
- “Is the greeting ambiguous or very generic?
- “Does it include requests to send personal information?
- “Does it stress an urgency to click on an unfamiliar hyperlinks or attachment?
- “Is it a strange or abrupt business request?
- “Does the sender’s e-mail address match the company it’s coming from? Look for little misspellings like pavpal.com or anazon.com.
“Over the past decade, phishing has evolved from a general nuisance into a grave security threat that costs large U.S. businesses $14.8 million annually on average in financial losses and lost productivity,” Harr added. “Organizations should adopt automated security systems to identify and isolate phishing attacks before they can cause harm, while also training employees to recognize when they are being targeted by phishing attacks.”
Phishing, of course, is the form of social engineering most often seen. It can be operated at scale, and there's a robust criminal-to-criminal market for phishing kits. Gal Helemski, CTO and co-founder of PlainID, urges that organizations look into the ways in which phishing exploits weaknesses in identity management:
“Adversaries have become increasingly effective in their phishing campaigns as of late and thus this National Cybersecurity Awareness Month, it is critical that organizations reinforce all security infrastructure. When an internal breach occurs where networks are compromised, identity remains the priority challenge. Organizations must adopt a “Zero Trust” approach, which means trusting no one to begin with – and revalidating the identity is approved for access at every stage, based on context. Building a strong defense is fantastic and much recommended as a layer for staying protected against adversaries. However, once a user is compromised, especially one with administrative credentials, they are already in your network and limiting movement is key to avoiding continental damage and risk. This month, organizations should focus on educating against phishing attempts, and investing in an identity first approach as a fundamental concept for cyber security defense.”
User training can't be overlooked in any consideration of protecting an organization from social engineering, argues Arti Raman, CEO & Founder, Titaniam:
“It is our jobs as cybersecurity professionals to have everyday processes and systems in place and running smoothly so that our data remains secure. However as hard as we work, bad actors work just as hard and are constantly trying to beat the systems and processes put into place. In honor of National Cybersecurity Awareness Month, I want to highlight how the human element of cybersecurity is often overlooked. The human piece is thought of as a weak link in every enterprise’s security posture, and while it may be true, it can also be a source of power. If we put ourselves in the shoes of others, we can take a moment and reflect on how we would react and respond. When it comes to any of these breaches we have seen recently, it is important to extend empathy to all those involved, and not blame, but rather come together on how we can build stronger protections and alliances against these cyber criminals.”
And the social engineers are most often after credentials.
Justin McCarthy, co-founder and CTO at strongDM, urges organizations to keep credentials out of the adversary's equation.
"The cybersecurity industry is constantly competing to stay one step ahead of adversaries. If the increased frequency of malicious hacks and breaches as of late teaches us anything, it should be that there's risk associated with any use of infrastructure credentials. After all, we're all human, and it's easy to make a small mistake with potentially devastating consequences. In honor of National Cybersecurity Awareness Month, I would urge CISOs and other security leaders to consider adopting modern security and access solutions that remove credentials completely from the equation. Doing so can give security teams peace of mind that login information can't end up in the wrong hands. It also allows employees to focus on day-to-day tasks without worrying about potentially exposing themselves and the company to undue risk."
Ralph Pisani, President of Exabeam, offered some practical advice on credentials and related matters:
“In honor of National Cybersecurity Awareness Month, I wanted to share a few pieces of practical advice for organizations to reduce the risk of credential-based attacks and minimize damage if they do occur:
- "Every employee is a target. Adversaries will often cast a wide net, so it's important that everyone stay on guard and use complex passwords, recognize the signs of a phishing scheme and practice good cyber hygiene.
- "Assume a breach has happened. In all actuality, your systems and employees have already been compromised; and your credentials have been compromised, stolen, and likely resold for future uses. What you need to do now is to detect these attacks at speed to minimize the damage.
- "You can’t find abnormal until normal is known first. Establish a baseline of normal user behavior. Using behavioral detection analytics, you can understand patterns for every user, device and peer group to uncover what is beyond legacy detection capabilities.
- "Security teams are looking for the needle in the haystack, rather than the haystack itself. Taking the time to educate yourself about credential-based attacks and understanding normal user and device behavior can go a long way in bolstering your organization’s security posture.”
Richard Barreto, CISO, Progress, pointed out the importance of creating and handling passwords properly, in accordance with best practices, and of using multifactor authentication. There's no reason to make the attackers' task any easier for than than it needs to be:
“Strong and unique passwords are first-in-line in any organization’s defense to a network compromise or data breach. Three quarters of Americans are frustrated with the overwhelming number of passwords they need to remember, and the average user has more than 90 online accounts that require credentials. Furthermore, developers are also responsible for maintaining secret keys. To avoid the impact of compromised credentials, it is imperative security teams provide employees and development teams resources to “self-serve” the set-up of a password manager and highlight the benefits of using one. A password manager can help users identify a spoofed website (they will only auto-fill a password to a site’s URL it recognizes) and is a great selling point to many employees. Lastly, if your organization’s budget allows it, prioritizing an enterprise license for employee use is a great ROI in defending your first line.
"Similarly, many recent high-profile breaches have been the result of successful phishing attacks or the malicious use of multi-factor authentication (MFA). Things like preparing employees with how to handle MFA fatigue or deploying a phishing simulation program are easy ways to keep your teams engaged and alert. To initiate measurable change within your organization, training and communication efforts should be consistent and not only focus on behaviors for employees to follow at work but also help protect them at home too. Employees who are more conscious of security best practices in their personal lives will exercise those same precautions at work. Finally, one of the most important actions every organization can take is to create a culture where reporting security concerns is encouraged and praised.”
Advanced authentication can help keep you ahead of advanced adversaries.
Miles Hutchinson, CISO at Jumio, discusses the importance of advanced authentication methods, as well as the importance of protecting personal data: “The cost of data breaches is growing faster than ever before, with the average total cost of a data breach reaching a staggering all-time high of $4.35M in 2022, according to IBM.
“The overwhelming amount of revenue lost and disruption from large-scale cybersecurity breaches in the last year shows just how important it is for organizations to modernize their security practices. In fact, 80% of consumers would be more likely to engage with an organization online if they had robust identity verification measures.
“Cybersecurity Awareness Month encourages security leaders and executive decision-makers to adapt their ways or working to address the increased sophistication of fraudsters as well as the existing and emerging regulations in the cybersecurity industry. In today’s cybersecurity climate, organizations must move away from outdated, obsolete authentication methods and implement more advanced identity verification solutions, like face-based biometric authentication, which confirms online users are truly who they claim to be. Traditional fraud prevention and anti-money laundering (AML) methods lack the efficiency and security that organizations need to protect their customers and corporate assets.
“Cybersecurity Awareness Month is also important for educating consumers on how to safeguard their digital identities and manage personal data consent rights online. These best practices are crucial for helping people keep their data out of the hands of malicious actors while also saving organizations millions of dollars in revenue.”
Don’t overlook the basics.
Avi Shua, CEO of Orca Security, talks about the significance of implementing fundamentals and best practices in cloud security: “National Cybersecurity Awareness Month continues its extremely important tradition of rallying the industry to preach fundamentals and best practices that everyone can take to reduce risks. The threats aren’t going away.
“These best practices must extend to cloud security, which our data shows are not being followed. This starts with one of CISA’s top action steps – updating your software – as we recently found that known vulnerabilities are the initial attack vectors in 78% of attacks via the cloud. We can’t emphasize this enough: patch, patch, patch.
“In addition, 33% of organizations have a cloud provider root account without multi-factor authentication – another key action step that all organizations should take. Always implement Multi-Factor Authentication (MFA) where possible, use strong, unique passwords (including uppercase and lowercase leers, numbers, special characters, and no dictionary words), and rotate passwords frequently.”
Nikhil Gupta, Co-Founder and CEO at ArmorCode, argues that keeping software up-to-date is more important than ever.
"If recent history has taught us anything, updating software is more important today than ever before, especially as zero-day vulnerabilities continue to be discovered at a rapidly increasing rate.
"However, the challenge exists in finding all of the specific instances where updates need to be made, as businesses don’t track every single line of code that goes into every single application, especially years after an organization has already been using an application. In order to find the vulnerable code, they must often scan thousands of repositories (even those that are inactive and could be disregarded). That’s because repositories are created in software, but they aren’t actually deleted–much like finding a bunch of old screenshots or unwanted pictures in your phone's camera roll, making it seem like there is much more to sort through than is necessary. The only real way to address this daunting task is automation. If businesses aren't adopting automation now, they aren't doing what they need to do to protect themselves against the next zero-day attack."
Christopher Rogers, technology evangelist at Zerto, a Hewlett Packard Enterprise company, advises paying particular attention to backup and recovery plans.
“A lot has changed in the 19 years since October was first recognised as National Cybersecurity Awareness Month (NCSAM). With the risk of ransomware attacks now greater than ever before, the significance of cybersecurity protocols - for both organizations and individuals - cannot be overstated. This Cybersecurity Awareness Month offers the opportunity to examine our own internet security habits and ensure that the correct infrastructures are in place to handle the ever-present threat of a cybersecurity attack.
"However, now that the question of a cyber attack is not if, but when, organizations must be prepared for not only the attack itself but also, arguably more importantly, the recovery. Businesses need backup and disaster recovery plans that ensure that they can recover quickly and minimize disruption and data loss - limiting downtime and restoring operations in a matter of seconds or minutes, rather than days or weeks. When it comes to cybersecurity, protection alone is not enough, and a recovery plan should be an essential part of every cyber strategy”.
A call for greater attention to vulnerability management.
Menachem Shafran, VP Product, XM Cyber, thinks that vulnerability management is effectively broken, and that the whole process needs rethinking:
"This Cybersecurity Awareness Month, enterprises need to be more aware of the fact that vulnerability management, though critical, is broken. Every company has thousands of vulnerabilities and exposures, many of which have high scores on the Common Vulnerability Scoring System (CVSS), so it's impossible to fix them all. Risk-based vulnerability management (RBVM) tools theoretically make prioritization easier by clarifying what is exploitable in the wild.
"However, current security prioritization approaches that combine CVSS scores with RBVM threat intel don’t provide anywhere near optimal results – even after filtering, and looking just at what is exploitable in the wild, you still have too much to handle.
"My advice is to go even further than RBVM and start understanding what's actually important and what isn't in the context of your environment, even if in theory, an issue is high risk.. All you really need to know is whether or not it's possible for a hacker to access your critical assets. In other words, do your vulnerabilities really matter? If they only affect unimportant machines, i.e., machines that are either non-critical systems or do not generate attack paths towards critical assets, I'd argue that they don't. The key to successful vulnerability management is to identify all the ways an attacker can move throughout your network and reach your business-critical assets. Once you have identified these attack paths, you can focus on locking down chokepoints and stopping hackers before they even get started.”
Yossi Appleboum, CEO of Sepio, advises Tier-1 enterprises to keep vulnerability assessment in mind as they head into 2023. “Cybersecurity is pivotal from any and every perspective. It is our means of safeguarding the most important assets both for businesses and the individual. As we prepare to enter 2023, it will be essential for companies to improve their hardware assets’ visibility, vulnerability detection and successfully mitigate them. Based on our internal data, we predict we’ll see an increase of 39% in the number of assets having a high Asset Risk Factor next year alone, requiring immediate attention.”
Nadav Zafrir, Managing Partner at Team8, offered a realistic perspective on vulnerability management: "Vulnerabilities are everywhere. All software has vulnerabilities; even hardware often has vulnerabilities. The problem of vulnerabilities isn’t getting worse because software quality is decreasing; it’s getting worse because software is doing more and more, which makes it more complex. More complex software has more vulnerabilities. No one is going to achieve security by eliminating or finding vulnerabilities. People are going to achieve security by being able to operate on an infrastructure that has both known and unknown vulnerabilities - which means operating effective preventive and detective controls and also getting good at incident response and recovery from compromise."
Chris Strand, Chief Risk & Compliance Officer at Cybersixgill, sent us an essay on how to understand and implement vulnerability management programs. He wrote:
"Cyber Awareness Month is upon us and we are honored to share some of our best practices for what eCommerce and other organizations can do to enhance their security posture while remaining vigilant to stay ahead of threats as best they can. With the shortage of skills and talent needed to keep up, businesses are at great risk of a breach, which can amount to losses in the millions of dollars.
"It is a good reminder to note that cybercriminals often have the advantage as they are highly motivated and not bound by the many required compliance and regulatory mandates. In the fight against cybercriminals, threat intelligence can be a useful ally, enriching the process of audit and assessment, and providing proof of security controls enforcement that is required for security and compliance."
Resources aren't unlimited, and Strand offers a set of summary recommendations for businesses who want to achieve affordable vulnerability management. "For the best protection given limited resources Cybersixgill recommends businesses take critical steps as follows:
- "Prioritize vulnerabilities beyond what’s offered by the Critical Vulnerability Scoring System (CVSS), which is often slow to score threats and only measures the estimated severity – but not risk – of exploitation.
- "Keep up with ongoing changes in data privacy legislation, which can be burdensome and overwhelming, yet is of utmost importance in ensuring security measures are continually updated
- "Monitor threat activity on the Dark Web to better understand how cyberattacks are performed, know if your business systems are being targeted, which attack tools are for sale and being purchased, and the success rates of current cybersecurity campaigns."
"Proactive vulnerability and gap analysis is key in helping companies meet the reduced timeframes for notification of a breach. Accelerated prioritization of security gaps can play a major role in helping to identify potential security incidents faster, or they can help identify a targeted attack before it takes place. Many cybersecurity regulations and compliance standards now also include vulnerability prioritization in their requirements.
"The easiest way to achieve and fulfill the vulnerability prioritization requirement is to proactively understand one’s enterprise assets to the point where security hot spots - or gaps - are revealed at a faster rate. If that awareness can be driven by the need to demonstrate alignment with a 36-hour breach reporting window, then it can have a positive effect on driving the needed change across the market."
The importance of developing cybersecurity professionals.
Sally Vincent, Senior Threat Research Engineer at LogRhythm, wrote to emphasize that we shouldn't underestimate the importance of developing the right community of cybersecurity professionals:
"Cybersecurity Awareness Month is a timely reminder for organizations about the importance of effectively detecting and responding to threats. According to VentureBeat, the number of cyberattacks in 2022 has increased by almost three million. Attacks against the healthcare and government sectors have especially spiked this year, with threat actors compromising organizations like the California Department of Justice, the Dominican Republic’s Instituto Agriculturo, CorrectHealth, the Behavioral Health Group, and more. One of the reasons for the increase in cyberattacks is staffing shortages.
"According to Cybersecurity Ventures, the need for cybersecurity professionals has grown rapidly since the pandemic, while the number of unfilled cybersecurity jobs has grown worldwide from 2013 to 2021 by 350%. While the aftermath of the pandemic has certainly impacted the cybersecurity industry, other factors – such as professionals lacking the proper credentials – have challenged hiring in the cybersecurity industry.
"This year’s Cybersecurity Awareness Month focuses on the people that keep our industry running. It is essential for the right people to take charge in strengthening their organizations’ incident response plans to efficiently mitigate the effects of a cyberattack. The right people also need to ensure that their organizations implement password hygiene, threat detection capabilities, and preventative and response controls. With these changes, organizations can thwart malicious cyberactivity, have full visibility into their IT environments, and ensure the day-to-day processes of IT systems run without disruption."
Kathryn Kun, director of information security at Forter, thinks that the much discussed "skills gap" is really a recruiting issue, and that people from a wide variety of backgrounds can quickly and usefully contribute, provided an organization can see their potential:
“The legend of the ‘skills gap’ has been permeating the cybersecurity industry for quite some time. More and more technical leaders in the last few years have questioned whether or not it exists. Research seems to say yes, with industry analysts predicting that the digital skills gap will leave about 85 million jobs unfilled by 2030, but it doesn’t paint a complete or accurate picture. In all actuality, the skills gap is just a recruiting gap, where companies fail to look beyond limiting job qualifications or the usual candidate pools to include individuals with not-so-traditional backgrounds that could have given them desperately needed skills.
"In fact, my own path to security was unorthodox. I have degrees in philosophy and chemical engineering; and spent the majority of my early career without ever considering a role in cybersecurity. But it’s precisely the skills I mastered in these disciplines that have helped me carve out a place in information security.
"In honor of this year’s National Cybersecurity Awareness Month theme, ‘See Yourself in Cyber,’ I would like to encourage company leaders to think outside of the box and see how other job roles such as librarians, educators, sales and communications professionals, HR and civil service workers and more could fit into the security field. Because as long as we keep hiring from a limited perspective and one-size-fits-all resumes, we will continue to do the greater cybersecurity industry a disservice. Examining what skills we need to hire for, and focusing on where else we can find those skills will only strengthen our ability to fight against adversaries.”
Gunnar Peterson, Forter's CISO, agrees with his colleague, and thinks an appreciation of the threat leads to consideration of neurodiversity in recruiting.
“In the cybersecurity world, there is a quote that ‘defenders think in lists, attackers think in graphs.’ It means that an adversary’s ability to find unexpected connections gives them the upper hand over those defending the system. After all, attackers are known for thinking outside of the box, which is why complex passwords and multi-factor authentication (MFA) by themselves do not solve the rising data breach numbers. To respond, defenders need to think differently.
"National Cybersecurity Awareness Month also coincides with Dyslexia Awareness Month. On the surface, it may seem like the two aren’t related. However, neurodiverse individuals are a huge asset to security teams, bringing unique perspectives to problem-solving and breaking the cycle of group think. Seeking out neurodiverse teammates in hiring, and recognizing and building around their strengths can be a vital asset to anticipating an adversary’s moves and uncovering potential solutions to problems before they arise.
"This is a growing challenge for certain organizations, and I hope this month is a wake-up call for security managers to widen the aperture in ways of working and dismantle the systems that are set up to develop and reward cookie-cutter operators. Neurodiversity is a security strength and we should collectively work to foster a more inclusive industry for everyone.”
Remote work increases the importance of cybersecurity. (Or, WT*? WFA! )
Don Boxley, CEO and Co-Founder, DH2i points out that work-from-home has now become work-from-anywhere, and organizations need recognize and plan for this.
“Today, work-from-home (WFH) has evolved into work-from-anywhere (WFA), to the delight of employees and their employers alike. The benefits of this new work paradigm for employees include the flexibility to choose work hours, getting more work done in less time, and a decrease in work-related expenses, and of course a better work/life balance. For employers, the benefits include higher productivity, a larger talent pool from which to draw, increased job satisfaction, more engaged employees and a lower turnover rate, as well as significantly reduced overhead expense. (And by the way, happy employees lead to happy return customers.)
"This ties back to this year’s CyberSecurity Awareness Month theme which reminds us that it's really all about the people. However, it's also all about the technology that we invest in to support our people’s success.
"To take a step back, the evolution from an onsite work model, to the new paradigm of WFH or WFA, as well as hybrid, wasn’t without its challenges. Perhaps one of the biggest bumps along the way was figuring out how people could WFH not only productively, but securely. At the beginning of the transition, many organizations were forced to depend upon their virtual private networks (VPNs) for network access and security and then learned the hard way that VPNs were not up to the task. It became clear that VPNs were not designed nor intended for the way we work today. Both external and internal bad actors were and are still exploiting inherent vulnerabilities in VPNs. Instead, forward looking IT organizations have discovered the answer to the VPN dilemma. It is an innovative and highly reliable approach to networking connectivity – the Software Defined Perimeter (SDP). This approach enables organizations to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all applications, servers, IoT devices, and users behind any symmetric network address translation (NAT) to any full cone NAT: without having to reconfigure networks or set up complicated and problematic VPNs. With SDP, organizations can ensure safe, fast and easy network and data access; while slamming the door on potential cybercriminals.”
Raffael Marty, EVP and GM of Cybersecurity at ConnectWise, wrote to describe how he see the evolution of the workplace having affected cybersecurity practices:
“The workplace has undergone an evolution in recent years. The added complexities of new technologies such as BYOD and the continued penetration and adoption of SaaS applications, combined with the overnight shift to work from home practices and constantly changing regulations, have left many businesses struggling to keep up. All the while, the increased threat of cybersecurity attacks looms over businesses, with over three-quarters of Small and Medium sized Businesses (SMBs) reporting that they have been impacted by at least one cyber attack in 2021.
"Having solid cyber security policies is critical for all organizations in today’s digital age. For SMB’s who lack the expertise and resources in-house to defend themselves against threats, the risks can be difficult to manage. Gone are the days when SMBs were considered "immune" to cyberattacks. For these organisations, partnering with a Managed Service Provider (MSP) makes it possible to protect their systems and data from an attack. No matter the security products and services a business consumes, there are four cost-effective elements that every business needs to implement to ensure success:
- "Incident preparedness: It’s not if but when an attack will occur. Being prepared for the possible incident is key. The ability to swiftly react to an incident can make a significant difference to business operations. Understanding points of contact, process owners, and decision makers in the case of an incident will assist in quickly containing a threat and bringing the business back operational.
- "Patch management: Patch management may seem complicated, but it really isn’t. Whether done manually or with a solution, software updates and patches should be promptly installed - not just on laptops and servers but also on firewalls and other network devices such as routers, APs and office equipment.
- "Password hygiene: Whilst often taken for granted, passwords are the first line of defence against malicious activities in the digital space. Using different passwords for different sites and services, regularly changing passwords, and implementing Multi-factor authentication (MFA) where possible, is key.
- "Backups: To have and to test from this day forward. Not only do organisations need to test their backups regularly to ensure they work, but they should also be stored offline on a regular basis.”
Jeff Sizemore, chief governance officer at Egnyte, sees the changes in the workplace combining with the data environment to present organizations with new security challenges:
“In today’s hybrid work environment, companies across business disciplines and industries are navigating increased cyberattacks and rapidly-evolving data privacy regulations amid explosions in data volume and usage. Unfortunately, many organizational stakeholders do not understand how to properly secure and manage their mission-critical data.
"This Cybersecurity Awareness Month and beyond, organizations should take proactive steps to enhance cybersecurity, such as updating incident response plans, prioritizing company-wide cybersecurity awareness training, and limiting access to critical data on a ‘business need to know’ basis. It’s time that cybersecurity is no longer considered to be an optional budget line-item. Cybersecurity is not just something that highly regulated industries or critical infrastructure need to be concerned with; today’s environment has made this a necessity for all organizations, no matter the size or tenure. By further educating employees and executive management on the importance of data security and governance, companies can be better protected against potential threats like ransomware.
"Finally, organizations should put technology on their side to provide a single source of truth for all structured and unstructured data. Not only does this enable secure file collaboration, but it allows companies to better understand where their data lives, how it’s used, and who has access to it.”
Craig Lurey, CTO and Co-Founder of Keeper Security, points out that things can still be cloudy in the cloud.
"The COVID-19 pandemic ushered in a new era of remote and hybrid work, and with it, an explosion of cloud technologies in the workplace. Now, organizational data is distributed with more endpoints than ever before. At Keeper Security, we recently surveyed business leaders in the U.S. to get their take on key cybersecurity issues, and found that only 32% have plans to adopt a zero-trust and zero-knowledge security approach. This stat is alarming, as zero trust is the only realistic framework for securing modern, cloud-based data environments and distributed workforces. To achieve security, organizations must implement a cybersecurity platform that provides full visibility, security and control across their entire data environment."
Gil Azrielant, Axis co-founder and CTO, outlined the the three biggest classes of threats in a hybrid work environment:
“Ransomware, social engineering attacks, and malware are the top three concerns of VPN in a hybrid work environment. Replacing VPN with ZTNA is an easy, and quick, win for IT - making it the perfect way to provide immediate value. ZTNA services are simple to deploy, allow network leaders to deliver a more seamless user experience, and empower security to better protect data - even as it's accessed beyond the confines of the corporate network. This is why 80% of companies are actively looking to replace VPN with zero trust services."
MarKeith Allen, Senior Vice President and Managing Director of Mission Driven Organizations at Diligent, emphasizes that successful collaborative environments need to be structured for secure use:
"In 2022, collaboration tools are more important than ever, however, we need to be sure that their security is not neglected as our reliance on them grows. Collaborative technologies are frequently used without restriction, creating shadow IT that enhances the danger of internal leaks when access privileges and security regulations weren't strictly adhered to or enforced. As employees navigate their new hybrid or at-home working environments, a lack of consistently applied cybersecurity practices can follow and possibly lead to bad outcomes.
"Open communication channels, such as Slack, messaging, and personal email, are excellent for informally exchanging information, but they frequently lack the security or access rights required for private discussions between executives, the board, legal, HR, risk, and compliance departments. Organizations require secure working conditions and workflows that enable them to transmit extremely sensitive information without fear of it being unintentionally diverted, forwarded, leaked, or even stolen. Additionally, the system must be user-friendly and practical so that executives stick to its workflows and procedures rather than straying to other systems and jeopardizing security. These actions go a long way toward reducing insider threats if they are taken."
George Waller, co-founder and EVP of Zerify, shared some observations about hybrid and remote work:
“At Zerify, cybersecurity is something we are constantly vigilant about and have been highly dedicated to ensuring - and continually improving - for over two decades. While it's more than a month-long focus in our eyes, we are glad cybersecurity is getting the world's attention in a time when hybrid and remote work environments support critical communications, and video conferencing takes place from multiple locations and even multiple unknown devices. We hope that as the usage of collaborative communications increases - and the world continues to rely on video conferencing platforms- Cybersecurity Awareness Month will be a time to hone in on greater capabilities to secure organizations, ensuring Zero Trust across platforms, greatly reducing breaches and hacks and thwarting the efforts of bad actors across the globe.”
Among other things, protecting data now means effectively and securely backing data up. Steve Santamaria, CEO, Folio Photonics urges paying attention to back-up in particular:
"Cybersecurity-urgency is gripping the private and public sectors, as data now represents a strategic asset to almost every organization. Yet, while from IT to the C-suite it is agreed that the possibility of a cyberattack poses a highly dangerous threat, many would admit that they are probably ill prepared to fully understand and address all of the threats, in all of their forms, today and in the years ahead.
"Today, a multi-pronged strategy is the most common approach to protect against cybercrime. This usually includes a mix of security software, malware detection, remediation and recovery solutions. Traditionally, storage cyber-resiliency is found in the form of backup to hard disk and/or tape. Both media have relatively short lifespans and can be overwritten at a material level. They also offer distinct advantages as well as disadvantages. For instance, tape is less expensive but it has very strict storage and operating conditions. And disk offers a potentially much faster restore time, but the cost can be exorbitant. For those that have the flexibility to do so, they may be forced into picking-and-choosing what they save, and for how long they save it.
"What’s required is development of a storage media that combines the cybersecurity advantages of disk and tape. A solution that can ensure an enterprise-scale, immutable active archive that also delivers write once read many (WORM) and air-gapping capabilities, as well as breakthrough cost, margin and sustainability benefits. Affordable optical storage is the answer, as it is uniquely capable of leveraging today’s game-changing advancements in materials science to create a multi-layer storage media that has already demonstrated the major milestone of dynamic write/read capabilities. In doing so, it can overcome historical optical constraints to reshape the trajectory of archive storage. Ideal for datacenter and hyperscale customers, such a next-generation storage media offers the promise of radically reducing upfront cost and TCO while making data archives active, cybersecure, and sustainable, not to mention impervious to harsh environmental conditions, raditiation, and electromagnetic pulses, which are now being commonly used in cyber-warfare.”
Surya Varanasi, CTO, StorCentric sees that, when protecting data, it's important to know how the threat actors work against you. It's not so much who dunnit as how're they gonna do it.
“As an IT professional, CyberSecurity Awareness Month reminds us how critical it is to continuously educate yourself and your workforce about the malicious techniques used by cybercriminals, and how to practice proper cyber hygiene in order to decrease potential vulnerabilities.
"Today, the process of backing up has become highly automated. But now, as ransomware and other malware attacks continue to increase in severity and sophistication, we understand that proper cyber hygiene must include protecting backed up data by making it immutable and by eliminating any way that data can be deleted or corrupted.
"An Unbreakable Backup does exactly that by creating an immutable, object-locked format, and then takes it a step further by storing the admin keys in another location entirely for added protection. Other key capabilities users should look for include policy-driven data integrity checks that can scrub the data for faults, and auto-heals without any user intervention. In addition, the solution should deliver high availability with dual controllers and RAID-based protection that can provide data access in the event of component failure. Recovery of data will also be faster because RAID-protected disk arrays are able to read faster than they can write. With an Unbreakable Backup solution that encompasses these capabilities, users can ease their worry about their ability to recover — and redirect their time and attention to activities that more directly impact the organization’s bottom-line objectives.”
Melissa Bischoping, Director of Endpoint Security Research at Tanium, commented, “Today’s organizations are dealing with immense attack surfaces and a deluge of security tools at their disposal. Despite the tightly packed market, data breaches are still on the rise, and cybercriminals are constantly on the hunt for the weak link in the organization – often through the thousands of endpoints businesses must manage. For organizational risk to truly be reduced, the silos across business units needs to be broken down. A complete understanding of how your business uses both data and technology to build a secure design will ultimately result in more secure and efficient business operations. Cybersecurity is, after all, a business operations issue and must be approached as one.”
Carl D’Halluin, CTO at Datadobi, urges a look at orphaned data.
“Orphaned data, or data that lives in an organization’s network but was created and owned by a now deactivated employee, is a major problem that almost every enterprise across all industries is facing. Holding onto data that isn’t owned by anyone, and that IT leaders have no visibility into, can introduce major risk to a company because of the data’s unknown content. This National Cybersecurity Awareness Month, IT leaders should focus efforts on managing their unstructured data to eliminate costly and risk-inducing orphaned data. We recommend that IT teams look for an unstructured data management platform with key capabilities. These include the ability to expose where orphaned data exists, search for and tag all of this data, and then take action to migrate or delete all orphaned data. With better visibility into and management of their data, organizations can stay secure this October and beyond.”
Richard Bird, Chief Security Officer at Traceable AI, suggests we draw some lessons from the analogue, the kinetic world, that is, from how we live in real life. “Take a moment and consider how you operate in your analog (IRL) life when it comes to security," he said. "You wouldn't leave a notepad with all of your important personal data, alarm codes and passwords in the middle of your yard. You wouldn't spread your tax returns or health records out on the dining room table for all of your friends and visitors to see. Take the conscious lessons about personal security that you already know and do in real life and just simply apply that same level of attention to your digital security.”
Do you know where your data are? Amit Shaked, co-founder and CEO of Laminar, thinks you should:
“In our multi-vendor, multi-cloud world, it has become more challenging than ever for companies to have visibility into where their data resides, who has access to what, and why. This has caused more than one in two organizations to experience a breach in the past two years, and thousands of sensitive data files to be extorted and leaked on the Dark Web.
"With October being National Cybersecurity Awareness Month, I only have one question for security leaders: 'Do you know where your sensitive data lives and do you have the tools and resources to manage it?'
"To safeguard against a majority of today’s data breaches, organizations must have complete data observability and adopt a data-centric approach to cloud security. After all, how can you protect what you can’t see? Prioritizing visibility helps security teams understand where an organization’s most sensitive data is, whether or not it has proper controls in place, if it is being monitored or not and reduces the risk of ‘shadow’ (unknown or unmanaged) data.”
Moty Kanias, VP of Cyber Strategy & Alliances at NanoLock Security, points out that privacy isn't the only thing at risk in a data breach:
"A breach of privacy is hardly all you have to worry about when hit with a cyber-attack. Cyber criminals nowadays can do much more than snoop around personal information. They can falsify your personal credit history, use your information for a shopping spree, use your accounts to cover tracks for other illicit behavior, and even inject your personal data into crime scene forensics. Stay alert and carefully manage all your cyber interactions.”
Considering identity protection.
Julie Smith, Executive Director of IDSA, noted the relationship between identity management and defense against credential theft:
“At a time when the number of identities enterprises have to protect is increasing, organizations face additional pressure to implement strategies that will help prevent credential theft and make access and authentication decisions more intelligent. In our research, IDSA has found that the consequences of identity-related breaches can be severe, including direct business impacts such as revenue losses and reputational damage. With this reality as a backdrop, it should be no surprise that many organizations view managing and securing identities as one of the top priorities of their security program.
"Security has to be a true enabler. Just as customers need to do their part by utilizing secure passwords and patching their devices, enterprises need to create an experience where customer identities and data are properly safeguarded against attacks.
"Identity security is everyone’s responsibility. It is up to us all—enterprise leaders, consumers, employees, vendors, and partners—to recognize the role we have to play in protecting identities and data. While October may be the month we recognize cybersecurity awareness, it is a year-long task.”
Paul Kincaid, VP of Information Security and acting CISO of SecureAuth, draws attention to the importance of user experience in employing identity management:
“We see users struggling with 'MFA fatigue' due to the overuse of MFA – the average user is asked to authenticate over 17 times daily – and due to stovepiped systems that result in inconsistent processes for the end-user. These systems don’t share authentication information among different stovepipes, and timeout periods force the user to authenticate repeatedly. This MFA fatigue means users are taking shortcuts, making them vulnerable to hackers and compromising security.
"Another issue is 'push fatigue'. From news to social apps, the number of times a user is pinged on their device inadvertently can result in hackers taking advantage of this. Again, user experience suffers and security is negatively impacted.
"In response, I suggest organizations deploy invisible authentication. By leveraging the power of modern analytics, invisible MFA can provide greater security at authentication. Passwordless and biometric options can be a game changer in this respect: AI/ML can perform thousands of back-end checks in seconds, continuously authenticating through digital fingerprint matching and peer review. This will reduce the significant cost of reset and help desk assistance, and more importantly, avoid the creation of attack vectors, like legacy MFA pushes, that are all too easily exploited by hackers.”
Wade Ellery, VP of Solution Architects and Senior Technical Evangelist at Radiant Logic, sees a comprehensive management of identity as foundational:
“The first step to improving your cybersecurity posture is to gain end-to-end control of Identity. The phrase is getting worn now, but “Identity is Still the New Perimeter”, as most of the traditional layers for securing resources—firewall, passwords, etc.—are no longer effective enough. Managing the identities, be they people, NPEs, or IOT, is the last line of defense. The journey is towards Zero Trust: least privileged access and dynamic authorization at the time of request. Delivering on Zero Trust across the architecture requires a highly scalable, available, performant, and accurate source of granular identity data aggregated from multiple disparate sources of truth. You can start building this source of truth now, and expand it as the Zero Trust architecture matures.”
Ricardo Amper, Founder and CEO of Incode, points out that biometric systems are growing in importance, and merit close attention:
"Biometrics are increasingly being used across sectors to optimize security. As biometric data is directly tied to an individual, credentials are not easily compromised, providing a secure layer of protection for people's sensitive data. For example, the face can be used at all times, in all places, and in all types of transactions as a pass key. In 2023, sectors from fintech to healthcare, sports to tourism will increasingly turn to biometric digital identity verification for high security, reliability, and speed to strengthen security. Biometrics will revolutionize the way we interact with institutions and companies to make our daily lives easier and safer."
A case for strategic security spending.
Matt Warner, CTO and Co-Founder of Blumira, advises businesses to make their security investments in way that's informed by strategy, with a view to improving security as the business matures.
"Businesses should invest in products that improve security maturity over time, rather than taking a “more is better” mindset and layering on shiny new security tools. In particular, small and mid-sized businesses (SMBs) should prioritize implementing tools that increase efficiency for small, busy, or overworked IT or security teams—rather than using solutions that generate noisy alerts triggered by known safe activity—so small teams can focus their attention on legitimate threats for faster time to resolution. Alert fatigue can lead to burnout and cause IT teams to miss critical alerts, which can create dangerous security gaps. Investing in solutions that meet an organization’s needs, and fit within their available budget and resources, is key to preventing and mitigating cybersecurity breaches and ransomware attacks."
Three experts from Mend wrote to offer advice on choosing and using security products and programs. Chris Lindsey, Senior Solutions Architect at Mend, wrote about the importance of choosing the right security tools:
“Implementing an effective security posture starts with ensuring you have the right tools to tackle the current problem you are looking to address. A tool that was released a few years ago could have been great at the time, but it might have not had changes made to it since then or updates may have not been implemented to stay current with the trends. Knowing that your tool still stands up to what you need it to do is important — otherwise, you may be wasting money and resources on something you haven’t realized has become obsolete. A simple refresh can mean the difference between a secure organization or becoming the latest victim of a cyberattack.”
His colleague at Mend, Jeff Martin, VP of Product, advises paying attention to mitigation from the outset, and not waiting until something's become a problem:
“Some organizations view security as an 'I’ll fix it later' problem, versus prioritizing mitigation of the issue in the first place. That’s a risky, expensive mentality — ransomware payment amounts are up 12.7% from just two years ago, with an all-time high average cost of a data breach estimated at $4.35M. Further, putting security on the backburner inevitably creates a backlog of issues that will need resolving eventually, leaving engineers in an endless cycle of fixing. There is too much emphasis on detecting (acting reactively) and not enough time spent remediating (acting proactively). This Cybersecurity Awareness Month is an opportunity for organizations and teams to understand and prioritize remediation, which can transform your business from an easy target to a well-oiled machine, ready to thwart any potential threat.”
And a third expert from Mend, Daniel Elkabes, Vulnerability Research Team Leader, recommends doing what you can to make the developers' lives easier. And, of course, evaluating the kind of training they receive is also vital:
“Developers are under a lot of pressure to get software, applications, and products out quickly. Expedited work timelines, increased demands, and simple human error can result in developers unintentionally using open source code that has malicious packages, opening the doors for threat actors to sneak in. Cybersecurity Awareness Month is an important time for organizations to re-examine the security training they offer to employees, particularly those whose team members are not part of the security team. For developers, organizations should prioritize hands-on, visual training so developers can see how quickly and easy it is for something to go wrong from a simple coding mistake. This will help reiterate the importance of regularly managing open source components and all their dependencies, and how this helps avoid putting the organization at risk. In addition, developers should proceed carefully and dedicate more time to ensure they’re implementing the correct packages that are free of any malware or vulnerabilities. To do so, developers should view the package to ensure that it is safe.”
Dave Burton, CMO of Dig Security, reminds organizations that solutions built for particular environments and specific kinds of data are unlikely to adapt easily as an organization evolves:
"The modern data security landscape, with the number and variety of data assets per organization exploding, calls for new protection strategies. Solutions built for specific clouds and data types do not suffice as more and more businesses use multiple clouds. To keep up with emerging threats and secure their critical data, businesses need a solution that can cover any cloud and any data store. New technology like data security posture management (DSPM) is a great start to assess static risks and security posture, but real-time detection and response has become essential to actively protect sensitive data from a breach."
Some thoughts on working securely in the cloud.
Doug Dooley, COO of Data Theorem, wrote to offer some extensive advice on operating securely in the cloud.
"With cloud environments, companies face data protection challenges around more regulations, a higher rate of data loss, and an increase in the number of attacks. As more organizations shift to the cloud, securing those cloud environments has become a top priority.
"In order to protect their cloud environments, organizations need to get their arms around security and visibility for their software-as-a-service (SaaS), platform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS) clouds. There are many tools available that can help organizations provide security for their cloud environments, including Cloud Security Posture Management (CSPM), Cloud Native Application Protection Platform (CNAPP), and more – it almost seems like an acronym alphabet soup. One of the newest is CNAPP, which Gartner introduced as one of its cloud security categories in 2021.
"It’s clear that developers need to understand an application in order to protect the app in the cloud. Different than on-prem, securing cloud-native applications involves a continuous set of processes focusing on identifying, assessing, prioritizing, and adapting to risk in cloud-native applications, infrastructure, and configuration. CNAPPs are emerging to offer a systematic approach to identity and entity management, and they embrace a least privileged, or zero trust, security posture.
"What is the different between CSPM and CNAPP, and do companies need both?
"A CSPM protects workloads from the outside by assessing secure and compliant configurations of the cloud platform’s control plane. CSPM tools are especially helpful for administrators, allowing them to work more efficiently and effectively. CSPM tools help to reduce overhead and also eliminate friction and complexity across multi-cloud providers and accounts.
"On the other hand, a CNAPP’s purpose is to scan workloads and configurations in development and to protect them at runtime. Using a CNAPP allows organizations to implement complete end-to-end security for cloud-native environments, rather than having to stitch together multiple solutions that address specific, discrete security issues.
"A CNAPP’s strength is that it combines the capabilities of several cloud security categories (remember our acronym alphabet soup?), including CSPM, developer security posture management (DevSPM), shift-left artifact scanning, infrastructure-as-code (IaC) scanning, Kubernetes security posture management (KSPM), VM IAAS, cloud infrastructure entitlements management, and runtime CWPP. Additional CNAPP advantages include:
- "CNAPPs provide unified visibility for SecOps and DevOps teams.
- "They offer a set of capabilities to respond to threats and secure cloud-native apps.
- "They provide automation of vulnerability and misconfiguration remediation.
- "A CNAPP identifies and prioritizes all workloads, data, and infrastructure across endpoints, networks, and cloud based on risk.
- "They guard against configuration drift and supply vulnerability assessments across VMs, containers, and serverless environments.
- "They enable organizations to build policies based on zero trust and observe behaviors to eliminate false positives.
- "They prevent cybersecurity threats by decreasing the number of cloud misconfigurations.
- "They offer infrastructure and application security.
"In addition, CNAPP provides advanced insights that improve detection rates and reduce false positives. These insights can be generated by correlating posture misconfigurations with workload alerts or over entitlement. CNAPP helps these problems and more by offering a single converged tool with multiple security capabilities for applications and services, enterprises can reduce risk, overhead and operational costs.
"The current dispersed tool approach is time consuming for IT teams, creates friction between Security and Development, and forces teams to work in silos. In addition, misconfigurations between tools that are stitched together could increase the attack surface by creating additional vulnerabilities. With the limitations of the current tools, enterprises cannot successfully implement cloud-native security. Companies need much more than just CSPM. This month, and all throughout the year, it’s important to be aware of the differentiation and advantages offered by the latest in emerging security approaches, like CNAPP."
Protecting critical infrastructure from cyberattack.
Konrad Fellmann, CISO and VP of IT infrastructure, Cubic Corporation, wrote to advocate a cooperative approach to protecting critical infrastructure. Working with companies, industry groups, and standards bodies is essential, he thinks, to securing that infrastructure:
“We are living in a time where every person and business is vulnerable to cyber threats. Mass transit agencies are no exception—in fact, they are appealing targets simply because, as part of the critical infrastructure, they help U.S. commerce and cities to run. If a transit agency is shut down and we can’t move people or goods, the criminals claim victory.
"Another top goal for malicious hacks on transit agencies is getting a ransom paid. This is why we consider ransomware to be a significant threat. It’s also why we’ve seen cyber liability premiums rise nearly 300 to 400% over the past couple years. The good news is, while most transit agencies already had some cybersecurity measures in place, the new regulations put forth by the TSA are helping to further establish a standard for security in the transit sector. Additionally, programs like National Cybersecurity Awareness Month are effective at helping to educate everyone on proactive measures for preventing breaches.
"To that end, Cubic’s number one priority is maintaining the trust, security and privacy of our customers, their patrons and data. We are very focused on ensuring data protection and supporting the use of security best practices across everything we do. For example, we certify to industry standards such as the Payment Card Industry Data Security Standard (PCI-DSS) and ISO 27001 in order to ensure and verify the effective implementation of strong security controls. We also maintain close working relationships with multiple cyber industry associations and government agencies to stay aware of ongoing trends and gather threat intelligence to continually improve our security posture.”
And don't neglect the Internet-of-things.
Things need securing as well as data, and the manufacturing sector and other industrial operations are realizing that they, too, are at risk. Three NanoLock executives shared their thoughts on the challenges of the IoT, the IIoT, and OT.
David Stroud, Head of Europe & APAC at NanoLock, warns of the disconnects within industrial organizations in particular that can lead to cyberattacks being overlooked or neglected:
“Many ICS/OT attacks go undiscovered because cyber specialists that search and track cyber incidents are typically not present at the factory and production line level. Production line malfunction incidents that have actually originated from cyber incidents are therefore frequently treated as operational / technical problems. This incorrect diagnosis leads to insufficient solutions. Proper security solutions can only come from strengthening relationships between operations and cyber security teams within an organization, and the adoption of zero trust strategies that prevent unauthorized access to critical data.”
Nitzan Daube, NanoLock’s CTO, sees the efficiencies connectivity brings coming with increased risk, as the isolation of legacy OT systems continues to erode:
“The manufacturing world is connecting everything in order to empower productivity and efficiency, and this shift into Industry 4.0 has essentially erased the concept of standalone, isolated OT networks. To keep pace, industrial companies must realign their security posture to the central premise that cybersecurity is everyone's responsibility and no one can be trusted implicitly.”
Vladimir Rizberg, Global Business Development Lead at NanoLock, reminds utilities in particular to take zero-trust principles seriously:
“Cybersecurity incidents happen to everyone eventually, including utilities. Taking action to prepare for and preempt these incidents with zero trust principles down to the device will dramatically lower your risk – and likely your cybersecurity insurance premiums too.”
Advice from NIST during Cybersecurity Awareness Month.
The US National Institute of Standards and Technology (NIST) has advice on offer during October, including posts with general advice on staying safe online, the specific importance of keeping software up-to-date, and how to recognize and report phishing.
And, finally, CISA's advice for Cybersecurity Awareness Month.
The US Cybersecurity and Infrastructure Security Agency (CISA) is offering advice to a broad category of users during Cybersecurity Awareness Month. In an email this afternoon, CISA recommended:
- "For individuals and families, we encourage you to See Yourself taking action to stay safe online. That means enabling basic cyber hygiene practices: update your software, think before you click, have good strong passwords or a password keeper, and enable multi-factor authentication (meaning you need “More Than A Password!”) on all your sensitive accounts.
- "For those considering joining the cyber community, we encourage you to See Yourself as part of the cyber workforce. We’ll be talking with leaders from across the country about how we can build a cybersecurity workforce that reflects the diversity of our nation, and one equipped to deal with the increasingly complex and challenging cyber threat landscape.
- "For our partners in industry, we’re excited to work together to build a more secure and resilient technology ecosystem through real-time operational collaboration, enhanced visibility and data sharing, and products engineered secure-by-design so we can collectively reduce risk to our nation and protect the critical infrastructure that Americans rely on every day."
Other resources worthy of attention are the State and Local Cybersecurity Grant Program (administered by CISA), the 5G Challenge (administered by the Department of Commerce's National Telecommunications and Information Administration), and CISA's account of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
CISA added to and updated its set of resources for Cybersecurity Career Awareness Week:
- Cybersecurity Awareness Month Video
- Cybersecurity Workforce Training Guide
- Cyber Career Pathways Tool
- Cyber Career Cards
- General Public Cyber Trainings
- Cyber Safety Videos
- Critical Infrastructure Operators Training – Industrial Control Systems, Incident Response, Continuous Diagnostic and Mitigation
- Cyber Challenges and Games