October is coming to an end – and so is Cybersecurity Awareness Month. Eighteen years ago, Cybersecurity Awareness Month was first launched by the Department of Homeland Security and the National Cyber Security Alliance. Since then, it has been acknowledged every October with the aim of educating the general public on the latest cybersecurity threats and how to protect against them.
This year, CyberProtection Magazine spoke to ten industry experts to gain their knowledge and advice on what we should be doing this year to do our part and stay #CyberSmart.
Ransomware is on the rise
Of all the forms of cyberattacks circulating at the moment, one of the most costly is ransomware.
“Saying that ransomware attacks are growing in severity and volume is an understatement,” explains Andy Fernandez, Senior Manager, Product Marketing at Zerto, a Hewlett Packard Enterprise company. “Hackers are finding ways to prolong unplanned downtime and increase data loss, and getting operational (back up and running) as quickly as possible is key. Yet legacy data protection solutions aren’t focused on the speed of recovery—only on recovering that data. Many organisations pay the ransom simply because of how long it would take their backup systems to restore encrypted data. While restoring the encrypted data is paramount, meeting those SLAs must have equal priority within the modern organisation. Organisations cannot afford to wait days for critical applications to be up and running. From web experiences to employee tools, time is money and reducing unplanned downtime is key.”
Aside from ransomware, some of the greatest challenges facing organisations in 2021 are fraud and phishing attacks. These kinds of attacks can be less costly, but are incredibly prevalent and target anyone indiscriminately.
One way to fight these threats is through the use of sophisticated AI. Martin Rehak, Founder and CEO, Resistant AI details: “by continuously assessing transactions, anomalies in customer behaviour within, across, and between sessions may alert teams to fraudulent activity in the moment, or that may have occurred in past weeks, months, or even years. These anomalies could be behavioural, device characteristics, relating to Internet and/or financial service providers, contact information, geo-locations, spikes of related activity, unusual switching between accounts… The list goes on… All of these behaviours that deviate from the expected could be symptomatic of criminal activity which AI can block, pushing criminals to the sheer limit of their ability.”
When it comes to phishing attacks, education is key. “Security leaders simply cannot overlook the importance of educating employees to keep the organisation watertight,” emphasises Gary Cheetham, CISO at Content Guru. “We encourage our team to question anything that seems at all suspicious, and to go with their gut instinct or ask for advice where needed. Regular training on cyber security and the hygiene aspects using engaging and accessible resources is the best way to cultivate a highly secure workforce.”
Emphasising Cyber Hygiene
While cyber attacks often conjure up images of dark rooms and hooded figures, far too often breaches come from poor cyber hygiene practices. Danny Lopez, CEO at Glasswall Solutions highlights, “unfortunately, most employees are unfamiliar with how to properly protect themselves. Attackers know how to depend on predictable patterns of human behaviour to gain an advantage against their targets. Many users don’t think twice about opening an attachment or clicking a link that appears to be legitimate. As insider threats have increased by 47% this year, users may also think they are communicating with a colleague when the account has actually been taken over by an adversary.”
Dottie Schindlinger, Executive Director, Diligent Institute agrees, “open communication tools – like Slack, texting and personal email – are great for informal communication, but they don’t often provide the level of security or access privileges needed for sensitive communications between executives, the board, legal, HR, risk and compliance teams… Organisations need secure environments and workflows that allow them to communicate highly sensitive information safely, without worrying that it might accidentally be misrouted, forwarded, leaked or even stolen. And, the system must be intuitive and convenient, so executives remain within its workflows and processes without straying to other systems and creating security gaps. If these steps are taken, it goes a long way toward mitigating insider threats.”
Aside from education, another key function of Cybersecurity Awareness Month is career awareness. With the cybersecurity industry facing notable skills gaps, encouraging training, upskilling and education has never been more important.
Tim Bandos, CISO & VP Security Managed Services at Digital Guardian explains, “finding the right fit for your security team remains a daunting and somewhat challenging task in today’s world. There’s a well-documented shortage of talent across the cybersecurity industry dating back several years. The pandemic and the challenges it brought have made matters worse.
“When it comes to ensuring cyber talent retention, establishing the right working environment is critical to keeping people engaged and motivated to stay. Having policies to ensure there’s an effective work-life balance and offering solid benefits are important elements when it comes to employee retention. I also believe that if you have a highly collaborative and engaging team that focuses on achieving group goals and taking the time to reward and celebrate them, it goes a very long way in countering anyone’s interest in leaving.”
Neil Jones, cybersecurity evangelist, Egnyte furthers this, calling for employers to “encourage your employees and executive team to take proactive steps to enhance cybersecurity and remember to reinforce the importance of personal accountability with all of your associates.”
He continues: “As an IT leader, you need to consistently update your cyberattack prevention strategies and implement practical measures like the following, which will protect you from falling victim to potential attacks.” For example, companies should, “make compulsory cybersecurity awareness training a way of life, rather than a once-a-year IT requirement.”
The last week of Cybersecurity Awareness Month is centred around the theme of ‘cybersecurity first’, which calls for organisations to make security a priority. “A report by Atlas VPN found the cost of cybercrime totaled more than $1 trillion across the world last year,” highlights Joel Reid, UK&I VP/General Manager at Axway. “That’s an eye-watering figure. We all have a responsibility to do our part to protect ourselves, our families, our colleagues and our employers. However, in many cases, simple failures to afford cybersecurity the respect it deserves can lead to some significant data breaches that have affected millions of users.”
With the prevalence of attacks, one thing that should be high up on priority lists is data recovery. Hugh Scantlebury, Founder and CEO, Aqilla calls for businesses to “check whether disaster recovery and automated backup are taking place (and with what frequency) within your SaaS environments. That way, if the worst does happen and you’re stung with a DDoS or other malware attacks, you can quickly recover your data. This is essential as a quick recovery means you’ll get back to regular business without impacting customer service or breaching any data protection regulations.”
Jakub Lewandowski, Global Data Governance Officer at Commvault concludes, “The theme for this year’s Cybersecurity Awareness Month is ‘#BeCyberSmart’, and a simple message has never been so important as awareness is raised about how best to protect your organisation from a cyber attack. The best defence is to be proactive, rather than reactive. Don’t wait until an attack has happened and the attacker is in your system before you attempt to remove them.”