The 2023 October Cybersecurity Awareness Month is in its 20th year. Every year since 2004, the government and cyber security industry share their insights and recommendations regarding online data security and privacy management. The idea marks a collaborative effort toward building a fully secured and self-governed cybersecurity framework that every American can follow. In the last few years, the October Cybersecurity Awareness Month has emerged as a global initiative to improve the resiliency and incident-reporting capabilities of the private and public sector organizations. Most IT and security leaders agree that cybersecurity policies are lagging behind technology trends. Lack of adequately trained IT professionals, poor leadership, excessive reliance on aging IT and security solutions, and growing pressure from cybersecurity regulatory authorities have all combined together to create a difficult scenario for organizations. For 2024, organizations require a staunch, personalized training approach to thwart cyber crimes.
At CIO Influence, we offered an open platform to the top 50 leading cybersecurity leaders and InfoSec professionals to share their cybersecurity training strategies for 2024 and beyond.
The panel of speakers who participated in the 2023 October Cybersecurity Awareness Month at CIO Influence include:
- Marcus Fowler, CEO of Darktrace Federal
- Theresa Lanowitz, Head of Cybersecurity Evangelism at AT&T Business
- Andrew Hollister, CISO and VP Labs – R&D at LogRhythm
- Philip George, Executive Technical Strategist, Merlin Cyber
- Doug Murray, CEO, Auvik
- Patrick Harr, CEO, SlashNext
- Ricardo Amper, CEO and Founder, Incode Technologies
- Ratan Tipirneni, President and CEO, Tigera
- Nils Gerhardt, Chief Technology Officer for Utimaco
- Adi Dubin, VP of Product Management at Skybox Security
- James Carder, CISO at Eptura
- Richard Caralli, Senior Cybersecurity Advisor, Axio
- Jeff Reich, Executive Director, IDSA
- Irfan Shakeel, VP of Training and Certification Services, OPSWAT
- Stephen Gorham, COO, OPSWAT
- Ariel Parnes, COO and Co-Founder, Mitiga
- Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea
- Jason Kent, Hacker in Residence, Cequence Security
- JP Perez-Etchegoyen, CTO at Onapsis
- Josh Bartolomie, VP of Global Threat Services at Cofense
- Bala Kumar, Chief of Product at Jumio
- Jason Dettbarn, Founder & CEO, Addigy
- Carl D’Halluin, CTO, Datadobi
- Don Boxley, CEO and Co-Founder, DH2i
- Seth Blank, CTO, Valimail
- John Martinez, Dynamic Access Management Evangelist, StrongDM
- Arti Raman, CEO and founder, Titaniam
- Patrick Beggs, CISO at ConnectWise
- Gal Helemski, CTO and co-founder, PlainID
- Kevin Cole, Director of Technical Marketing and Training at Zerto, a Hewlett Packard Enterprise company
- David Menichello, Director, Security Product Management, Netrix Global
- Darryl Jones, VP of Product (CIAM), Ping Identity
- Joe Regensburger, Vice President of Research Engineering, Immuta
- David Divitt, Senior Director, Fraud Prevention & Experience, Veriff
- James Hadley, CEO and Founder of Immersive Labs
- Yariv Fishman, Chief Product Officer, Deep Instinct
- Nick Carroll, Cyber Incident Response Manager, Raytheon, an RTX business
- Olivier Gaudin, Co-CEO & Founder, Sonar
- Doug Kersten, CISO, Appfire
- James Lapalme, Vice President & GM for Identity, Entrust
- Bryson Bort, Faculty at IANS Research & CEO and Founder at SCYTHE
- Jessica Hebenstreit, Faculty at IANS Research & Director of Security Operations and Infrastructure at Eptura
- Ed Skoudis, Faculty at IANS Research, President at SANS Technology Institute and Founder of Counter Hack
- Mike Rothman, Faculty at IANS Research & Chief Strategy Officer and GM of Techstrong Research
- Larry Whiteside Jr., CISO at RegScale
- Tyler Farrar, CISO, Exabeam
- Corey Nachreiner, Chief Security Officer, WatchGuard Technologies
- Rehan Jalil, President & CEO at Securiti
- Rich Lilly, Director, PS Security at Netrix Global
- Carla Roncato, Vice President, Identity at WatchGuard Technologies
The Impact of AI on the Threat Landscape
Marcus Fowler, CEO of Darktrace Federal
This year, CISA’s new theme for Cybersecurity Awareness Month is challenging us to reflect on how we can best secure our world. The global threat landscape is always evolving, but AI is poised to have a significant impact on the cybersecurity industry. The tools used by attackers —and the digital environments that need to be protected—are constantly changing and increasingly complex. We expect novel attacks will become the new normal, and we’re entering an era where sophisticated attacks can adapt at machine speed and scale. Luckily, AI is already being used as a powerful tool for defenders – helping to strengthen and empower our existing cyber workers so they can keep pace with increasingly complex environments and the constant onslaught of ever-evolving cyber threats.
In a recent survey, we found that the top three characteristics that make employees think an email is risky are: being invited to click a link or open an attachment, an unknown sender or unexpected content, and poor spelling and grammar.
But, generative AI is creating a world where ‘bad’ emails may not possess these qualities and are nearly indistinguishable from the human eye. It is becoming unfair to expect employees to identify every phish and security training, while important, can only go so far.
Increasing awareness of and the ability to recognize phishing attempts is an important first step, but an effective path forward lies in a partnership between AI and human beings.
AI can determine whether the communication is malicious or benign and take the burden of responsibility off the human.
Embrace Multi-Factor Authentication (MFA) to Address New Security Challenges
Theresa Lanowitz, Head of Cybersecurity Evangelism at AT&T Business
During this year’s October Cybersecurity Awareness Month, we’re addressing incredibly important themes that have also evolved immensely over the past two decades. This includes multi-factor authentication (MFA) and the strengthening of passwords.
As Edge Computing expands, we expect the popularity of MFA to grow and include biometrics and biometric behaviors – like how you sign your name or your cadence in entering a numerical sequence. While the use of biometrics to authenticate identity is not new, advancements in digital twins, deepfakes, and purpose-built IoT devices mean there is a need to secure our physical identities. Deep fakes may spoof more than your identity.
Consider autonomous vehicles that have built-in MFA in key fobs.
IoT devices are frequently ‘set and forget’ with a default password that may be as simple as ‘1234’, making it easy for cyber adversaries to either guess or have knowledge of the default password. It makes sense that biometrics, MFA, and device authentication are utilized in new endpoints such as autonomous vehicles since there are no direct inputs into vehicle networks—however, without an added layer of security, an adversary can execute DDoS attacks or gain access to the network by moving laterally through an IoT device with a default password. With this, endpoint detection and response (EDR), managed detection and response (MDR), and extended detection and response (XDR) are becoming baseline requirements.
Use Cybersecurity Awareness Month as a Catalyst for Action Against New Threats
Andrew Hollister, CISO and VP of Labs R&D at LogRhythm
Each year, Cybersecurity Awareness Month serves as a valuable reminder of the critical importance of fortifying our organizations’ cybersecurity posture in an increasingly interconnected world. This year, Cybersecurity Awareness Month’s focus is on four key behaviors: enabling multi-factor authentication, using strong passwords and a password manager, updating software, and recognizing and reporting phishing attempts—all essential practices in safeguarding against cyberattacks. Our growing reliance on digital technology within the business landscape is accompanied by escalating threats and vulnerabilities that pose significant risks to sensitive data, financial stability, and even national security.
In the face of these escalating threats, it is worth noting that 67% of respondents in a recent study reported their companies losing business deals due to customers’ lack of confidence in their security strategies. A solid security strategy has become a business imperative, and all too often, organizations either fail to do the basics or don’t truly understand the full scope of the threat they are facing.
Digital transformation over the past decade has led us to a place where much of our data has moved to the cloud and our user communities have also at least partially “moved to the cloud” as well post-pandemic– in various forms of hybrid work patterns.
Let us use Cybersecurity Awareness Month as a catalyst for action.
Strengthen your organization’s defenses, educate your teams, and invest in technology solutions that enable you to reduce your overall risk.
By doing so, we can collectively fortify our digital foundations, protect our critical assets, and ensure a safer digital future for all.
Time to Understand – and Act Upon – Quantum Risk
Philip George, Executive Technical Strategist, Merlin Cyber
One critical aspect of cybersecurity that deserves much more attention and focus is the advancement of quantum computing. While quantum computing is poised to enable researchers to tackle complex problems through simulation in a way that simply wasn’t possible before, it also has very serious implications for cryptography – the foundation upon which functionally all modern cybersecurity relies. A cryptographically relevant quantum computer (CRQC) could render linear cryptography ineffective, meaning sensitive data and critical systems protected in this way will be exposed to anyone with quantum computing capabilities. The reality is that our adversaries are inching closer and closer to achieving a CRQC every day and in the meantime are collecting sensitive encrypted data to access later also known as a “store now, decrypt later” approach. Certain cryptographic standard bodies estimate that we have approximately 7-10 years before quantum cryptographic relevancy is achieved – however, we’ve already seen instances of adversaries exploiting our growing reliance and implicit trust with current cryptography, like in the SolarWinds SUNBURST Backdoor and Microsoft Storm-0558 forged tokens attacks. With the executive direction to adopt zero-trust architectures (ZTA) across IT/OT portfolios, the industry cannot afford to delay the inclusion of a quantum-readiness (QR) roadmap (see the joint CISA/NSA Quantum Readiness memo) into said ZTA modernization plans. Especially considering how heavily they will rely upon cryptography across every facet of the maturity model.
A major component of the QR roadmap is the execution of a cryptographic discovery and inventory report, which would provide valuable insight into quantum vulnerable cryptographic dependencies as well as overall cryptographic usage. The results of which would provide critical insight into strategic risk management decisions for Y2Q (years to quantum) planning and operational cyber threat-hunting purposes.
The era of implicit cryptographic trust and reliance on an iterative standard process is coming to a close, the industry needs to fully incorporate cryptographic risk into its vulnerability management and remediation programs before Y2Q. This will ensure a more cryptographically agile and robust zero-trust ecosystem is achieved across newly modernized environments.
Cybersecurity Fundamentals: Network Visibility is the Key
Doug Murray, CEO, Auvik
We can’t have a constructive discussion about cybersecurity without addressing network-based security. You can’t protect what you can’t see – unknown devices are unprotected devices. As rigorous as your cybersecurity efforts may be, poor visibility can put the entire network at risk of an attack.
To effectively implement cybersecurity protocols that reduce vulnerabilities, IT teams must have a comprehensive view and understanding of all assets, including switches, routers, firewalls, wireless controllers, access points, and endpoint devices, including many headless IoT devices.
In addition to traditional security products, it’s important to implement complementary tools like network management software to ensure an organization has a cohesive view of its network.
By detecting unusual activity, rogue devices, traffic from unexpected locations, and unapproved or atypical application usage, network management tools identify areas of concern and flag them for investigation before real problems occur. This allows organizations to take necessary corrective action early and maintain an offensive rather than defense cybersecurity strategy by preventing a wider range of potential attacks on an organization’s network. This is not only critical for cybersecurity but also assists with compliance, ensures quicker troubleshooting, and results in better business outcomes.
The Evolution of Phishing and BEC, and How to Stay Protected
Patrick Harr, CEO, SlashNext
We have seen phishing grow from targeted email attacks into a widespread multi-channel problem that has become the top security threat for both organizations and individuals. In 2023 especially, the introduction of
Generative AI technologies like ChatGPT have been a game changer for cybercriminals, particularly in relation to cyberattacks launched through email, mobile, and collaboration apps including business email compromise (BEC) and smishing.
These new AI tools have helped attackers deliver fast-moving cyber threats and have ultimately rendered security defenses that rely on threat feeds, URL rewriting, and block lists ineffective. Combining these new tools with the way people work using multiple devices communicating and collaborating outside of traditional security defenses, users and businesses are more exposed than ever to cyberattacks.
Perhaps even more concerning is the rise of AI tools proliferating on the dark web – such as WormGPT, FraudGPT, and others – that are specifically designed to apply generative AI technologies for criminal purposes.
Now, we are even seeing the likes of BadGPT and EvilGPT being used to create devastating malware, ransomware, and business email compromise (BEC) attacks. Another grave development involves the threat of AI “jailbreaks,” in which hackers cleverly remove the guardrails for the legal use of gen AI chatbots. In this way, attackers can turn tools such as ChatGPT into weapons that trick victims into giving away personal data or login credentials, which can lead to further damaging incursions.
So, how do we protect ourselves?
Training users to detect these new AI-developed types of phishing attacks can be extremely difficult. It’s crucial to leverage AI-based cyber security protection to successfully battle cyber threats that use AI technology. Whether you’re a business with thousands of customers, or an employee using a personal device for work, you have to fight AI with AI.
Moving Forward with the Passwordless Authentication Technology
Ricardo Amper, CEO and Founder, Incode Technologies
With the rise of deepfakes and fraudsters becoming increasingly sophisticated, verifying identities is more challenging than ever. As verifying identities becomes harder, fraud mounts. This month, we celebrate Cybersecurity Awareness: a time to implement processes and adopt solutions that improve the cybersecurity posture of our organizations.
Today, passwordless authentication is one of the top methods to deter fraud where identity means everything, for example, in banking, government, and payment processing. We’re seeing industries such as financial enterprises combat spoofing and identity fraud through biometric digital identity verification, which can prevent the use of ‘synthetic identity’ to steal customer profiles and open new accounts.
As a means of digital identification, biometrics prevent fake digital identities by identifying documents that have been tampered with or photoshopped. Companies in a variety of key sectors are introducing digital authentication services and solutions to combat growing levels of fraud and stay ahead of cybercriminals.
Is Runtime Security Planning and Testing Losing its Importance?
Ratan Tipirneni, President and CEO, Tigera
Today, enterprises and small businesses alike are using containers and distributed applications, built with microservices and running on platforms like Kubernetes. Container environments are highly dynamic and require continuous monitoring, observability, and security. This October Cybersecurity Awareness Month, it’s important to remember a critical Kubernetes best practice: treating container security as a continuous practice. Integrating security into the entire development and deployment cycle is key.
For example, while “shift left” models have played an important role in increasing the security and resilience of deployments, the industry pendulum has swung too far. Many enterprises believe that runtime security is unnecessary if they put enough resources into planning and testing.
The reality is that a breach is a matter of when, not if, and security teams must ensure their runtime security tools can rapidly identify and mitigate any intrusion attempts or risk serious consequences.
A best practice for securing containers is to use a multi-layered security approach that includes security measures at different levels, such as network, host, and application layers. This approach provides a defense-in-depth strategy that can provide more comprehensive protection against different types of attacks. The goal of the defense-in-depth approach is to make it more difficult for attackers to penetrate an organization’s defenses and limit the damage if an attack does occur.
Internet of Things Security Needs the Human Touch
Nils Gerhardt, Chief Technology Officer at Utimaco
This Cybersecurity Awareness Month what cybersecurity professionals and the organizations that they work for need to know is how their efforts are being perceived by the people directly impacted by them. In addition to our groundbreaking work providing the root of trust for thousands of organizations around the world, we also strive to understand the social dynamics of cybersecurity.
There is a very high level of trust in financial services companies, but trust in Internet of Things (IoT) technology – both in terms of security and its ability to improve society – is typically much lower. These are two sectors, that although very different, directly impact consumers and newer ways of hacking are impacting both arenas. While it is true that there have been hacks of smart devices, these are still rare, and criminals are far more likely to take funds directly from their victims through traditional scams and fraud. This means that there is an opportunity for the $320 billion dollar IoT industry to learn how to improve their own security from their peers in finance and banking.
We know from working with IoT that, while the industry isn’t without unique challenges, security is typically very high. The issue is not that IoT hardware and software developers aren’t creating secure systems, but that it is much more difficult for the users of these systems to see and feel these security systems in action. Compare this to the typical bank user’s experience of using a banking app, where they will have to log in with PINs or biometrics and confirm payments. Many IoT devices are designed to operate invisibly, at least when security is concerned – the network of sensors that enable smart cities or even something as simple as a smart light bulb to conduct all of their security operations in the background.
Our message to IoT companies would be to foreground security in your work.
Of course, invest in the very latest technology, something we at Utimaco can provide, but also educate your end-users about how they can know that they are protected. Cybersecurity Awareness means more than awareness of the threats in your domain – it means an awareness of how end-users are experiencing security.
Consolidate Cybersecurity Functions with a Shift to Risk-based Paradigm
Adi Dubin, VP of Product Management at Skybox Security
This year’s Cybersecurity Awareness Month focuses on the importance of ensuring online safety with ease.
In 2022, the National Vulnerability Database (NVD) recorded an alarming surge in cybersecurity vulnerabilities, with a staggering 25,096 new vulnerabilities added. According to our 2023 Vulnerability and Threat Trends Report, this marks the highest number of vulnerabilities ever reported in a single year and represented a substantial 25% increase from the 20,196 vulnerabilities recorded in 2021. This data underscores a concerning trend: vulnerabilities are not only on the rise but are also proliferating at an accelerating rate, making the landscape of cyber threats more challenging to navigate.
In the face of an escalating threat landscape, traditional security tools have fallen short, often creating unnecessary complexity. However, there is hope for organizations to proactively reduce risks and enhance operational efficiency. Organizations should focus on continually evaluating the accessibility, exposure, and exploitability of their digital and physical assets.
To successfully adapt to this modern, risk-based paradigm, organizations should seek comprehensive solutions that consolidate cybersecurity functions, provide complete visibility into their attack surface, leverage various detection techniques, assess risks holistically, automate response processes, and collaborate with experienced cybersecurity experts.
The Future Belongs to Zero Trust Security Policies
James Carder, CISO at Eptura
In the spirit of Cybersecurity Awareness Month, business leaders must be mindful to secure their workplaces, whether that workplace is remote, in an office, or in a hybrid model. Return-to-office (RTO) mandates have been gaining momentum post-Labor Day, signaling a shift in the way organizations approach work in a post-pandemic world. Three years after the onset of the pandemic, businesses are still grappling with security concerns as they navigate the challenge of securing employees working from various locations and devices. Despite the hesitations around mandated RTO, our Q2 Workplace Index report found that the reality is that 79% of employees live within commuting distance of their workplace. A flexible work approach is emerging as the norm, with employees having the freedom to work from various locations. Business leaders need to recognize that this shift necessitates a comprehensive approach to cybersecurity that bridges the gap between physical and digital security.
One key consideration for business leaders is the adoption of a zero-trust security model.
Zero Trust ensures that only trusted identities (people, places, assets, etc.) gain access to corporate resources and data, regardless of the employee’s location. This approach is vital for preventing catastrophic breaches and security incidents that can occur as employees move between corporate offices, shared workspaces, and remote setups.
As employees work from diverse locations, securing both the digital and physical aspects of the workplace becomes crucial. Modern workplaces offer a variety of spaces for employees to choose from, and ensuring the safety of these spaces is paramount. Integrating physical and cybersecurity measures is essential, as attackers can exploit gaps in security when employees work from different locations.
Additionally, the safety of employees is impacted by both the digital and physical aspects of the workplace, whether it is due to a cyber attack or operational outage.
Smart, physical assets that operate a building have to be protected operationally, regardless of whether employees are in the building or not. By protecting facility management systems and implementing stringent access controls, businesses can enhance their overall security posture and protect both their employees and assets.
Create a Balance Between Functionality and Security/Privacy
Richard Caralli, Senior Cybersecurity Advisor, Axio
For 20 years, Cybersecurity Awareness Month has been raising awareness about the importance of cybersecurity, but creating a cyber-aware culture is only getting worse. Technology users are on the front line for cybersecurity, but this responsibility is not taken seriously either because it’s a lower priority (average consumers place preference on product features over security), or they don’t fundamentally understand it (cybersecurity technologies at the consumer level are not entirely intuitive).
There are approximately 12 million lines of code on a typical smartphone operating system, and on those devices, thousands of configurable settings affect security and privacy. If an organization issues a device like an iPhone, it can centrally ensure the security and privacy settings fall in line with organizational policy. But, in an increasingly bring-your-own-device world, and especially for retail consumers, all bets are off.
With configurability being a key desirable feature of applications, users, unfortunately, put little effort into ensuring they are protected from not only attackers but also from legitimate attempts to use their data in ways that may over-expose them. It isn’t sufficient to fall in line with the standard security recommendations anymore—such as implementing MFA. Users must initiate their own security and privacy review of the software and devices they use, instead of focusing only on configuring features and applications that are important to them.
Until fixed, consumers will continue to be a rich target—and attackers know it.
To create a more cyber-aware culture, users should review all default settings on new software and devices and make changes as appropriate. And, while not an easy task, several guides being produced—Consumer Reports, for example, publishes a Guide to Digital Security and Privacy—can help users configure important settings, or at least give them the option to decide on the balance between functionality and security/privacy.
Make Systems More Resilient and Frictionless
Jeff Reich, Executive Director, IDSA
So far, 2023 has shown us that all it takes is one compromised identity to have a huge effect on the targeted organization, the industry vertical, and society at large. And year after year, our research demonstrates that it takes more than a strong password to keep bad actors at bay. Today’s questions swirl around what it will take to stem the increasing onslaught of identity-related breaches. From the Least Privilege principle to Multi-Factor Authentication (MFA), routine access reviews, and Zero Trust, it will take parts of each of these, plus more, to address this problem.
The bigger question is, how do we get this done?
Security, as part of a larger risk management program, is the answer.
This year marks the 20th anniversary of Cybersecurity Awareness Month and the new theme is Secure Our World. This is appropriate because, as we have seen, the effects can and do shape events around the world. By continuing to better educate ourselves and raise awareness around this global issue, we will solve this problem.
The key is to better know the environments in which we operate, the associated risks, and ways to eliminate or lower the severity of the outcomes. This is incumbent upon each of us and all of us. The message is the same, although updated. Learn what you can do to protect yourself and help others. Security professionals: work to make systems more resilient and frictionless. For users of these systems: learn to use them and make them work for you.
IT/OT Convergence Is Not Just a Trend, but a Necessity
Irfan Shakeel, VP of Training and Certification Services, OPSWAT
By fostering collaboration and camaraderie, we can pave the way for a more cyber-resilient OT environment.
Recent findings from Tessian’s Human Factor Report 2023 found that 88% of data breaches are caused by employee mistakes. This underscores the paramount importance of investing in our first line of cybersecurity defense: our workforce. Cybersecurity Awareness Month is not merely about social media posts or celebratory events; it is about educating employees, vendors, and all other stakeholders on cybersecurity best practices and other security policies. By doing so, we ensure that our primary defense doesn’t become our most significant vulnerability.
IT/OT convergence is not just a trend, but a necessity, driven by its transformative benefits such as streamlined operations, real-time data access, and data-driven decision-making. However, this integration also expands the attack surface, introducing new security challenges.
As we observe Cybersecurity Awareness Month in October, it’s the perfect opportunity to bridge the gap between industrial teams and their IT counterparts. This month is ideal for hosting hands-on cybersecurity awareness training sessions and organizing engaging activities like cybersecurity scavenger hunts.
Improve the KPIs Through People, Processes, and Technology
Ariel Parnes, COO and Co-Founder, Mitiga
As cybercrime moves to the cloud – as evidenced by recent exploits like Scattered Spider’s ransomware attack on MGM to Storm-0558’s attack targeting Microsoft exchange – there is a whole new level of cyber awareness that is needed from everyone in organizations. Awareness about this Cybersecurity Awareness Month is especially important for enterprise leaders evolving their tech stacks and updating capabilities in order to manage risk and grow resilience.
To effectively respond to this new breed of incidents—and fast—enterprise leaders need to:
- Understand the new and evolving threat landscape, and educate their team and peers
- Assume a breach, but more importantly: assume a Cloud/SaaS breach
- Define SMART (Specific, Measurable, Attainable, Relevant, and Time-Bound) KPIs for cloud and SaaS breach readiness
- Build a plan to improve the KPIs through people, processes, and technology
- Exercise, exercise, exercise!
Especially in light of the SEC’s latest ruling requiring organizations to disclose a material breach within four days following its discovery, this undeniably necessitates organizations to rapidly evaluate the severity of an attack and ensure accurate and timely reporting—a process that demands swift investigation. But there’s an added dimension: potential adversaries might exploit this regulation, heightening pressure on the compromised entity by revealing (real or fake) details of the breach—as in the MGM attack.
We have seen this in the past, and with the new regulations, we should expect to see it more. Organizations should prepare for these situations in a multi-layered approach, building, expanding, and exercising capabilities in rapid investigation, negotiation, comms, and PR.
Reporting Phishing Attempts Is Crucial in Protecting Individuals and Organizations
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea
Cybersecurity Awareness Month also serves as a reminder of the ongoing threat posed by phishing attacks and the importance of recognizing and reporting them. Phishing remains a prevalent method used by cyber criminals to trick individuals into revealing sensitive information or engaging in harmful actions.
Recognizing phishing attempts involves being vigilant about suspicious emails, messages, or links that attempt to imitate a trusted source. Cybercriminals often use urgent language, false claims, or deceptive URLs to manipulate victims into taking action that compromises their security. By educating ourselves and others about these tactics, we can reduce the risk. Reporting phishing attempts is equally crucial. Many organizations have established mechanisms for reporting suspicious emails or incidents promptly. Reporting phishing attempts can also reduce the risk and impact on business and help security teams take the appropriate action and measures to protect individuals and networks.
Do This: Either Enable Multi-Factor Authentication (MFA) Or Two-Factor Authentication (2FA)
Jason Kent, Hacker in Residence, Cequence Security
Cybersecurity Awareness Month is a timely reminder for organizations to revamp their security posture. With this year’s theme, “It’s easy to stay safe online,” in mind, individuals can take a few small steps that make all the difference.
Time and again, one of the most critical aspects of account security is overlooked: password creation.
To achieve proper password security, individuals should consider the following best practices:
- Using strong, unique passwords for each account is imperative, as cybercriminals often target those with reused or weak passwords derived from a vast pool of compromised user ID or password combinations from data breaches.
- Avoiding easily guessable patterns like birth years, family names, or sports teams.
- Implementing password managers proves invaluable for generating and securely storing complex passwords.
- Enabling Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA) adds an extra layer of security to your application and website accounts, requiring an additional authentication step beyond your password.
Having covered what to do, let’s also discuss what you should avoid:
- Using a credit card is the safest way to pay online, storing your credit card details in online accounts, though convenient, pales in comparison to the potential risks of unauthorized charges. Taking the extra 30 seconds to manually input your card information during transactions can save you from these hassles.
- Equally important is steering clear of “pay me with a gift card” scams, where scammers manipulate individuals through email or phone calls, convincing them to make payments for non-existent computer issues or software subscription renewals. These fraudsters exploit fear and a lack of technical knowledge to access victims’ computers, installing remote access tools and insisting on gift card payments. Tech Support, the IRS, the FBI, the County Sheriff – don’t take Steam Gift Cards as payment.
With these steps in mind, bolstering your online safety becomes a manageable task. By implementing these precautions, individuals can navigate the digital landscape with confidence and enhanced security.
Enterprises Must Evaluate All Elements Within Their IT Landscape
JP Perez-Etchegoyen, CTO at Onapsis
This year’s Cybersecurity Awareness Month serves as a timely opportunity for companies to reassess their cybersecurity practices. The significance of cybersecurity has grown even more pronounced in the face of ransomware and supply chain attacks that have affected organizations of all sizes and sectors. Just considering the number of cyberattacks, research indicates a 38% increase from 2021 to 2022.
The ability to ensure business continuity and safeguard brand reputation now hinges on an organization’s capacity to enhance the availability of business operations, of which a critical part is its business applications, while also embracing innovation and integrating security and compliance into their operations. Special emphasis must be placed on safeguarding critical web applications since cybercriminals continually identify and exploit vulnerabilities in this area. Such vulnerabilities not only risk data exposure and theft but can also result in complete system downtime until necessary updates are deployed. This system downtime, when it comes to business-critical applications, equates to business disruption, potentially resulting in millions of dollars in losses.
With the theme “it’s easy to stay safe online” in mind, enterprises must evaluate all elements within their IT landscape to detect any potential cyber threats. This includes identifying unpatched systems, addressing permissive access controls, securing integrations, and rectifying any misconfigurations. Prompt action is vital to shield mission-critical applications and the overall business from sophisticated cybercriminals. Organizations should also incorporate a robust business application security program into their cybersecurity strategy, ensuring complete visibility into applications for high-priority patching, vulnerability assessments, and security protection.
Reassess the Roles and Responsibilities of the Security Operations Center (SOC) Teams
Josh Bartolomie, VP of Global Threat Services at Cofense
Cybersecurity Awareness Month, now in its 20th year, stands as an annual partnership between government and private sectors, uniting efforts to enhance awareness of digital security. Its mission: equip everyone to safeguard their personal data against the perils of digital crime.
Contrary to the belief that technology alone can eliminate vulnerabilities, it is essential to recognize that your workforce constitutes one of the most important lines of defense. They play an indispensable role in guarding against cybersecurity attacks and compromises. Organizations need to invest in their employees, imparting not just the ability to recognize suspicious activity but also to foster a culture where reporting such concerns and incidents is encouraged and even incentivized.
Additionally, in cases where threats manage to elude employee vigilance, Security Operations Center (SOC) teams must possess the capability to identify, trace, and neutralize these risks swiftly and efficiently.
Cybersecurity is our collective responsibility. The most effective way to ensure protection is by working together. Cybercrime ranks as the foremost threat faced by companies but fear not; there are established and user-friendly methods to thwart it, like free resource toolkits to greatly assist in promoting security awareness.
Keeping Vital Data Out of Criminals’ Reach Using Biometric-Backed Identity Verification Methods
Bala Kumar, Chief of Product at Jumio
There are a number of commonly used verification tools out there today, like multi-factor authentication (MFA) and knowledge-based authentication. However, these tools aren’t secure enough on their own. With the rise of new technologies like generative AI, cybercriminals can develop newer and more complex attacks that organizations need to be prepared for.
Fraudsters can leverage ChatGPT, for instance, to create more convincing and targeted phishing scams to increase their credibility and impact, victimizing more users than before.
This month’s emphasis on cybersecurity reminds us that organizations must build a strong foundation starting with user verification and authentication to efficiently protect customer and organizational data from all forms of fraud. Strong passwords and MFA are always beneficial to have, but with the increasing sophistication of cyberattacks, organizations must implement biometric-backed identity verification methods. By cross-referencing the biometric features of an onboarded user with those of the cybercriminal attempting to breach the company, organizations can prevent attacks and ensure that the user accessing or using an account is authorized and not a fraudster, keeping vital data out of criminals’ reach.
As you may already know, October marks National Cybersecurity Awareness Month (NCSAM), a significant initiative launched in 2004 by the U.S. Department of Homeland Security and the National Cyber Security Alliance. The goal? A dedicated month to reinforce the importance of safeguarding our online presence. It began as an American effort, but the message resonated far and wide. Today, numerous countries around the globe have embraced the cause, underscoring that cyber threats don’t recognize borders. It’s a collective call to action, urging individuals and organizations to prioritize online safety, no matter where they’re located. It’s truly a global commitment to cyber resilience.
Breaches Cost More than Just Monies
Jason Dettbarn, Founder & CEO, Addigy
Cybersecurity has moved from an afterthought to one of the more important decisions in the boardroom, as executives have come to understand the potential scale and impact of attacks. Breaches don’t just cost money – they can debilitate a company.
IT leaders need to ensure they are leveraging the right security processes and tools to maintain compliance vigilance, which includes a layered approach to OS Patching, Application Patching, adhering to Compliance Frameworks, and End-User Authentication Management. The speed and impact of Zero Day vulnerabilities highlight the importance of applying these patches throughout an organization’s entire fleet of devices in a timely fashion. National Cybersecurity Awareness Month serves as a good reminder of this.
Alig Your Zero Trust Network Access (ZTNA) Principles
Don Boxley, CEO and Co-Founder, DH2i
“Today, cyber threats are escalating into full-blown crises – making Cybersecurity Awareness Month more than just a gentle reminder, but a stark warning that we must urgently overhaul our digital defenses. Gone are the days when established security measures like VPNs sufficed. Hackers are continually advancing, rendering traditional methods increasingly obsolete. Proactive security isn’t an option; it’s an absolute necessity if organizations want to survive into the future.
Software-defined perimeters (SDPs) are rapidly gaining prominence as an innovative and intelligent alternative to VPNs.They address and eliminate many traditional VPN vulnerabilities, such as susceptibility to lateral network attacks that could compromise sensitive organizational assets. SDPs simplify the secure connection of network assets across diverse infrastructures—from on-premises to hybrid and multi-cloud setups—and closely align with Zero Trust Network Access (ZTNA) principles.
By adhering to the Zero Trust tenet of “never trust, always verify,” SDPs offer stringent security controls at the application level. This ensures that resources like servers, storage units, applications, IoT devices, and users gain access only to the specific data endpoints required for their tasks, thereby eliminating potential vulnerabilities such as lateral movement paths that attackers could exploit.
Let us heed National Cybersecurity Awareness Month as an urgent call to action for adopting next-generation solutions like SDPs and Zero Trust principles. In doing so, we will be equipping organizations and individuals with the robust defenses needed to outpace ever-advancing cyber threats.
Secure Your Emails
Seth Blank, CTO, Valimail
October may conjure images of falling leaves and Halloween festivities, but it’s also Cybersecurity Awareness Month—a crucial period that calls for our attention to the increasing threats in the digital landscape. Among these threats, one that’s often pushed to the background but deserves center stage is email security.
Email is the battleground where some of the most sophisticated social engineering attacks, like spear-phishing and whaling, are waged. These attacks exploit human psychology, leveraging the absence of the usual cues we rely on to assess trust—no facial expressions, no tone of voice, just cold text on a screen. You’re probably been inundated with the same stats again and again, like the fact that 91% of all cyberattacks start with phishing.
Or, that the FBI has reported $50 billion—with a b—in losses due to business email compromise (BEC). And due to that inundation, it’s easy for some to look at email as an old problem. But, those stats show the problem is not just as bad as it’s ever been; it’s getting worse.
Much, much worse.
The bottom line is that even if the stats have become easy to ignore—the problem is real, and one misstep can wreak havoc. This Cybersecurity Awareness Month, don’t just scroll past the warnings—take them to heart. Beef up your email security, or get ready for a world of hurt. The ball is in your court, and it’s ticking.
Keep a Tab on your Undocumented, or Unauthorized, It Tools or AI Software
John Martinez, Dynamic Access Management Evangelist, StrongDM
An insider threat uses one main weapon to attack a company: access.
Having the credentials to access and move around internal infrastructure with near impunity is the core element of an insider threat, as well as nearly every other major security challenge. Shadow IT has been around for a long time, Shadow AI, for sure is new since ChatGPT, and it has IP and confidential data leakage implications. These terms reference the use of undocumented, or unauthorized, IT tools or AI software.
As we continue to see innovations in AI, the challenge will be ensuring employees have access to the tools they need under company oversight to avoid backdoors and cheats that can cause security risks. The same security risks can enable an insider threat.
I want to remind company leaders that having infrastructure access is like having the keys to your home’s front door and investing in the proper access management tools that can monitor and adjust credentials as necessary is critical.
Regardless of whether an insider threat is intentional or malicious, CISOs and IT leaders must lead the charge into centralized access. By doing this, security leaders can manage critical access permissions across databases, servers, and cloud service providers to ensure their infrastructure is kept secure against threats both inside and out without compromising productivity.
Use AI to Strengthen Your Security Regulation Compliance
Arti Raman, CEO and founder, Titaniam
“Business leaders wanting to stay ahead when it comes to security, compliance, and policy need to be paying attention this Insider Threat Awareness Month. The boom in Artificial Intelligence (AI) that we’re seeing today, while powerful and certainly worth exploring, exposes a whole new world of vulnerabilities that need to be addressed. Recent surveys have shown that 54 percent of organizations will be adopting AI over the next 12 months – a rapid adoption rate that leaves little room for guardrails and safety nets.
Where do company policies fit?
How will AI impact security regulation compliance?
What guardrails are in place to safely allow AI’s use?
These are important questions that everyone should be asking, especially business leaders and decision-makers across boards and C-suite teams, such as CISOs.
The reality, however, is that only 36 percent of organizations are implementing any form of policy that restricts or bans AI use at work. As we continue to see AI sweep across the enterprise and become increasingly integrated into everyday use, both at home and in the office, Shadow AI becomes a credible threat to business intellectual properties (IP) and sensitive information.
Shadow AI, the unsanctioned and unmonitored use of AI tools, presents a new avenue for insider threats. While 33 percent of companies don’t prioritize insider threats as cybersecurity concerns, I urge business leaders to recognize that these threats can stem from both malicious and accidental incidents. All it takes is one employee using an AI tool meant to increase productivity and accidentally opening a new roadmap to sensitive data stores that cybercriminals will undoubtedly exploit. While AI’s use in the enterprise is critical to development and innovation, business leaders must consider investing in and implementing guardrails.
Tools that provide in-depth and real-time visibility into AI use across internal networks will be critical in suppressing a looming spike in insider threat-related data breaches. Decision-makers across boards and executives need to implement real education and training in the use of AI that allows the use of these tools without sacrificing their security.
Use AI To Detect and Prevent Insider Threats
Patrick Beggs, CISO at ConnectWise
“While the focus is often on protecting against external threats, malicious, negligent, and compromised insiders are a serious cybersecurity risk, with 67% of companies experiencing more than 21 insider-related incidents per year. To combat this, organizations require a comprehensive security program that combines cybersecurity awareness training, technical solutions, and strict security protocols. Insider threats rely on the negligence and actions of a company’s end users, such as an administrator failing to apply a security patch or an employee accidentally clicking on a phishing link. Once a user has been compromised, their accounts can be used as a ‘home base’ for attackers, from which they can share private files, escalate privileges, or infect other systems.
To enhance their ability to detect and prevent insider threats, organizations can leverage artificial intelligence for context-aware monitoring, anomaly detection, and behavioral analytics. By consuming billions of data artifacts, AI quickly learns about emerging risks, identifying malicious files and suspicious activity much faster and more accurately than a human ever could. It then applies its findings to predict activities, identifying them as they occur and assigning them a severity level for remediation.
Threat intelligence platforms gather and analyze data in real-time from multiple sources to identify and predict threats. Incorporating their findings or connecting them to AI cybersecurity tools can help the solution proactively take a defensive posture. To supplement this, task automation technology can handle routine tasks such as informing users that their credentials may have been compromised, resetting passwords, and patching vulnerabilities in systems and software. The combination of these AI-powered threat detection solutions, human expertise, and well-defined security policies can help organizations build a robust defense against insider threats.
Harness Data-Driven Insights to Navigate the Intricate Landscape of Insider Threats
Carl D’Halluin, CTO, Datadobi
Insider threats lurk within the very heart of organizations, disguised as trusted employees, partners, or collaborators. These individuals, armed with access privileges, possess the potential to wreak havoc that is often unseen until it’s too late. Their actions can shatter the security foundation of a company, leading to catastrophic data breaches, financial ruin through fraud, and irreparable damage to reputation.
First held in 2019, National Insider Threat Awareness Month (NITAM) is an annual campaign spanning the month of September that reminds us that mitigating insider threats demands a comprehensive strategy encompassing diverse countermeasures. This can entail the enforcement of stringent access controls, leveraging user behavior analytics, and the implementation of data loss prevention solutions, as well as vigilant user activity monitoring, and the fostering of anonymous whistleblower reporting mechanisms. However, to truly take insider threat mitigation to the next level, a solution that empowers organizations to assess, organize, and take action on their data is pivotal.
By proactively assessing data, it allows for the identification of anomalies and vulnerabilities before they escalate into significant risks. The continuous monitoring and analysis of data enable the rapid detection of unusual patterns or behaviors, facilitating timely intervention and mitigation. Moreover, the organized structuring of data enhances visibility, making it easier to pinpoint sensitive information and recognize unauthorized access or movement.
When potential threats are identified, the solution enables organizations to take swift and precise actions, such as restricting access, initiating investigations, and/or moving data to another location, minimizing the potential damage. Beyond immediate responses, the solution’s adaptability ensures that countermeasures remain effective in the face of evolving insider tactics. This approach not only reduces the impact of insider threats but also contributes to operational continuity and regulatory compliance. Ultimately, the ability to harness data-driven insights enhances an organization’s proactive stance, equipping it to navigate the intricate landscape of insider threats with vigilance and resilience.
The Pathway to Cyber Security Comes From Trusting No One
Gal Helemski, CTO and co-founder, PlainID
“Since many enterprises are working remotely, now more than ever, confirming identities has become the cornerstone of organizational security. As most data is stored on cloud-based services, it only takes one misuse of a pre-existing or stolen credential for a company’s entire digital landscape to be left open and exposed.
The pathway to cyber security comes from trusting no one – not even regular employees on trusted devices. This might sound extreme, but unless there’s real-time monitoring and authorization, you cannot be 100% sure that this user has the right to access this data.
A Zero Trust approach is no longer a ‘nice to have’ for cyber security leaders. In fact, 50% of business leaders said that authorization is an integral part of their zero-trust program. This ensures that trusted users have authorized access to the digital assets they need, and no further. Users attempting to access the network by force or suspicious requests become much more visible, and countermeasures can be put in place.
Mitigating the Shadow IT and Shadow AI Threats
Kevin Cole, Director of Technical Marketing and Training at Zerto, a Hewlett Packard
“The risks presented by insider threats are far more substantial than you may assume. According to data gathered by Verizon, the number of records reportedly compromised by external threats is around 200 million; however, in cases involving an organizational insider, this number rises to a staggering 1 billion.
What makes these vulnerabilities so common is the fact that an insider threat could originate with anyone tied to an organization — whether that be a current or former employee, contractor, or even a partner.
In some cases, such as the recent breach disclosed by Tesla, there is malicious intent: stealing information for personal use or sabotaging data or systems before leaving the organization. However, more often than not, insider threats expose their organization accidentally by falling prey to phishing attacks, failing to update credentials, or improperly disposing of sensitive documents. Whatever the intent, their position inside an organization makes them dangerous, and the continual rise of digital transformation, hybrid working, and, more recently, ‘Shadow AI’ usage has only made it more difficult to manage and mitigate these potential threats.
In addition to the essential commitment to training and the use of MFA, insider threat or not, organizations also need to come to terms with the fact that it is a case of ‘when’ they will be attacked, rather than ‘if.’ This is why investment in effective recovery technology is vital for organizations to protect themselves against the fallout of an insider threat-driven data breach or ransomware attack, which can lead to costly disruptions if operations are not restored swiftly.
Building upon traditional zero-trust frameworks for data access, organizations should look to integrate these systems into their backup solutions by leveraging decentralized zero-trust methods. By keeping data isolated and replicated continuously, businesses can recover fully, and rapidly, should an insider threat leave them exposed to attack.
Generative AI Is Creating an Imbalance Between Offensive and Defensive Security Teams
David Menichello, Director of Security Product Management at Netrix Global
Generative AI is accelerating the development of exploits and payloads on the offensive side. Likewise, it is a good tool for the blue teams who defend their networks and applications for finding ways to automate and bridge gaps in a population of IT assets that could be vulnerable and not under one management program that’s easily patched, secured, or interrogated for susceptibility to attacks.
Building talent internally or finding service providers with the time and expertise to develop and extract the value out of generative AI from a defensive standpoint will be necessary. But there will always be an imbalance because the attack side can weaponize exploits quicker than the defense side and assess, test, and patch. It’s never a fair fight between the offensive and defensive sides because while blue teams must patch every vulnerability, red teams only need to find one in some cases to unravel a network.
Passwords Pose One of the Biggest Cybersecurity Threats to Organizations
Darryl Jones, VP of Product (CIAM), Ping Identity
This Cybersecurity Awareness Month, it’s critical to remember that passwords pose one of the biggest cybersecurity threats to organizations and consumers alike. In fact, in 2022, there was a whopping 233% increase in U.S. data breaches exposing user credentials, compared to 2021. Credentials are attractive targets as they enable unauthorized access to sensitive systems, networks, and data.
While multifactor authentication is a great step in the right direction for protecting user credentials, the reality is that password-based authentication practices fail at actually securing accounts. They inhibit a smooth user experience and are easy to exploit for financial gain. With the accelerated growth of phishing, malware, and ransomware attacks, which are all exacerbated by the rise in artificial intelligence (AI), organizations underestimate the risks associated with using passwords to protect valuable enterprise assets. For example, generative AI can be used to guess passwords in an extremely human-like manner. It’s time to move away from this outdated form of authentication and move towards more innovative methods like biometrics, passkeys, and face IDs with liveness checks to avoid generative AI threats – not just this month, but all year round.
Data Security is a Foundational Component of Any AI Implementation
Joe Regensburger, Vice President of Research Engineering, Immuta
“AI and large language models (LLMs) have the potential to significantly impact data security initiatives. Already organizations are leveraging it to build advanced solutions for fraud detection, sentiment analysis, next-best-offer, predictive maintenance, and more. At the same time, although AI offers many benefits, 71% of IT leaders feel generative AI will also introduce new data security risks. To fully realize the benefits of AI, it’s vital that organizations consider data security as a foundational component of any AI implementation. This means ensuring data is protected and in compliance with usage requirements. To do this, they need to consider four things:
(1) “What” data gets used to train the AI model?
(2) “How” does the AI model get trained?
(3) “What” controls exist on deployed AI?, and
(4) “How” can we assess the accuracy of outputs?
By prioritizing data security and access control, organizations can safely harness the power of AI and LLMs while safeguarding against potential risks and ensuring responsible usage.
Use AI to Defend Your Organization Against Cyberthreats
David Divitt, Senior Director, Fraud Prevention & Experience, Veriff
We’ve all been taught to be on our guard about “suspicious” characters as a means to avoid getting scammed. But what if the criminal behind the scam looks, and sounds, exactly like someone you trust? Deepfakes, or lifelike manipulations of an assumed likeness or voice, have exploded in accessibility and sophistication, with deepfakes-as-a-service now allowing even less-advanced fraud actors to near-flawlessly impersonate a target. This progression makes all kinds of fraud, from individual blackmail to defrauding entire corporations, significantly harder to detect and defend against. With the help of General Adversarial Networks (GANs), even a single image of an individual can be enough for fraudsters to produce a convincing deep fake of them.
Certain forms of user authentication can be fooled by a competent deepfake fraudster, necessitating the use of specialized AI tools to identify the subtle but telltale signs of a manipulated image or voice. AI models can also be trained to identify patterns of fraud, enabling businesses to get ahead of an attack before it hits.
AI is now at the forefront of fraud threats, and organizations that fail to use AI tech to defend themselves will likely find themselves the victim of it.
Focus on Imparting Top-to-bottom Cybersecurity Education
James Hadley, CEO and Founder of Immersive Labs
Cybersecurity Awareness Month has good intentions.
But, if organizations are focused on awareness alone, they’re losing. Awareness is not enough for organizations to achieve true cyber resilience.
Resilience means knowing that your entire organization has the knowledge, skills, and judgment to respond to emerging threats, backed by data. Businesses need proof of these cyber capabilities to ensure that when an attack inevitably happens, their organization is prepared to respond.
Outdated training models and industry certifications that organizations have traditionally relied on have failed to make them safer and instead have created a false sense of security — which is why nearly two-thirds of security leaders now agree that they are ineffective in ensuring cyber resilience.
Continuous, measurable exercising across your entire workforce — from the store room to the board room — provides businesses with the insights they need to understand the current state of their cyber resilience and where their weak points lie. It also creates a more positive cybersecurity culture that encourages reporting rather than punishing employees when a breach does happen. With top-to-bottom cybersecurity education, organizations are moving beyond awareness and can ensure that their data is secure.
Bad Actors are Using Generative AI to Target Your Organization. Are you Prepared against AI-powered Attacks?
Yariv Fishman, Chief Product Officer, Deep Instinct
This Cybersecurity Awareness Month is unlike previous years, due to the rise of generative AI within enterprises. Recent research found that 75% of security professionals witnessed an increase in attacks over the past 12 months, with 85% attributing this rise to bad actors using generative AI.
The weaponization of AI is happening rapidly, with attackers using it to create new malware variants at an unprecedented pace. Current security mechanisms rooted in machine learning (ML) are ineffective against never-before-seen, unknown malware; they will break down in the face of AI-powered threats.
The only way to protect yourself is with a more advanced form of AI. Specifically, Deep Learning. Any other ML-based, legacy security solution is too reactive and latent to adequately fight back. This is where EDR and NGAV fall short.
What’s missing is a layer of Deep Learning-powered data security, sitting in front of your existing security controls, to predict and prevent threats before they cause damage. This Cybersecurity Awareness Month, organizations should know that prevention against cyber attacks is possible – but it requires a change to the “assume breach” status quo, especially in this new era of AI.
Security Should Be Integrated Into the Organization’s Culture and Operations
Nick Carroll, Cyber Incident Response Manager, Raytheon, an RTX business
As cyber threats continue to quickly evolve, organizations are being challenged to act just as fast in counter-defense. This rush to keep up can often lead to the harmful practice of organizations skipping the foundational basics of cyber defense and failing to establish a general sense of cyber awareness within the business. Without a solid security culture at the foundation, security tools, such as expensive firewalls or endpoint detection and response (EDR), will ultimately become ineffective in the long term. It’s imperative to build cybersecurity awareness among employees and third parties that work with the business, as well as determine the ways in which security will be integrated into the organization’s culture and operations.
Once these steps are taken, organizations will be better positioned to build off of a solid organizational footing that will be most effective for cyber defense initiatives in the long run.
Get Familiar with the Clean Code Practices
Olivier Gaudin, Co-CEO & Founder, Sonar
This Cybersecurity Awareness Month (CAM), I have a message for business leaders and technical folks alike: Software is immensely pervasive and foundational to innovation and market leadership. And, if software starts with code, then secure or insecure code starts in development, which means organizations should be looking critically at how their code is developed. Only when code is clean (i.e. consistent, intentional, adaptable, responsible) can the security, reliability, and maintainability of software be ensured.
Yes, there has been increased attention to AppSec/software security and impressive developments in this arena. But still, these efforts are being done after the fact, i.e. after the code is produced. Failing to do this as part of the coding phase will not produce the radical change that our industry needs. Bad code is the biggest business liability that organizations face, whether they know it or not. And chances are they don’t know it. Under their noses, there is technical debt accumulating, leading to developers wasting time on remediation, paying some small interest for any change they make, and applications being largely insecure and unreliable, making them a liability to the business. With AI-generated code increasing the volume and speed of output without an eye toward code quality, this problem will only worsen. The world needs Clean Code.
During CAM, we urge organizations to take the time to understand and adopt a ‘Clean as You Code’ approach. In turn, this will stop the technical debt leak, but also remediate existing debt whenever changing code, drastically reducing the cybersecurity risks, which is absolutely necessary for businesses to compete and win — especially in the age of AI.
Provide Foundational Knowledge of Cybersecurity to Your Employees
Doug Kersten, CISO, Appfire
First and foremost, whether an employee has been at an organization for 20 days or 20 years, they should have a common understanding of how their company approaches cybersecurity; and be able to report common threats to security.
It’s been refreshing to see security come to the forefront of conversation for most organizations. It was rare 20 years ago that cybersecurity awareness was even a training concern unless you were at a bank or regulated institution. Today, it is incredibly important that this heightened interest and attention to security best practices continues. With advancements in technology like AI, employees across industries will face threats they’ve never encountered before – and their foundational knowledge of cybersecurity will be vital.
Employees today should be well-trained in security standards and feel comfortable communicating honestly with their security teams. Even more important, security leaders should ensure their organizations have anonymous alternatives for employees to report their concerns without fear of retaliation or consequence.
By combining education and awareness into the foundation of your organization’s security framework, and empowering employees, the odds of the realization of a threat decrease exponentially.
Develop Cybersecurity Awareness as a Perpetual Strategy to Counter AI-led Attacks
James Lapalme*, Vice President & GM for Identity, Entrust
“While we can recognize Cybersecurity Awareness Month, it’s important that we prioritize cybersecurity all year round. Threat actors are constantly threatening organizations in unique and rapidly evolving ways, and business leaders need to remain nimble to ensure that their systems and teams are prepared for these evolving risks.
As we’ve seen in the news in recent weeks, spear phishing and social engineering attacks have become a common way for bad actors to create realistic scams that can slip by even the most knowledgeable employee. And, with the advancements in generative AI, adversaries can accelerate the potential impact of these attacks to gain access to sensitive data. The reputational and monetary losses these organizations and their customers experience can be felt for years to come.
Organizations have become so reliant on credentials that they have stopped verifying identity, so to get access or reset access, all you have to do is give a code or answer a secret question.
While that is convenient from a productivity perspective, it leaves the door open to cyber-attacks, which is why we’ve seen these spates of compromises.
Rather than rely on individuals who are frequently too caught up in day-to-day tasks to notice the subtle nuances of these scams, organizations need to evolve their technology response and look to phishing-resistant identities. Methodologies to achieve a high assurance level of Identity verification are Certificate-based authentication for both user and device verification, risk-based adaptive set-up authentication, and implementing ID verification as part of the authentication process (or as a high assurance authentication strategy) for high-value transactions and privileged users are all ways for businesses to build out their Zero Trust, explicitly Identity verified strategies and ensure the security of users even as new threats continue to emerge.
It’s important to understand that cybersecurity awareness is never really over. Good enough is not good enough. With the ever-evolving threat landscape, it’s essential for organizations to stay ahead of the curve and continue to keep evolving their technology to protect and future-proof their businesses against the ever-changing threat landscape.
Live with It: Enterprise IoT Introduces Concerns Beyond Just Privacy
Bryson Bort, Faculty at IANS Research & CEO and Founder at SCYTHE
Cybersecurity Awareness Month serves as a reminder to confront the hidden threats lurking in our digital world. While ghosts and zombies emerge in the spooky season, bad actors are ever-present, so it’s important for enterprises to implement the below best practices in Enterprise IoT.
Enterprise IoT and lateral movement: For enterprises, IoT introduces concerns beyond just privacy. Imagine digital zombies moving laterally within enterprises, pilfering data undetected. The solution starts with a first-step policy. Stakeholders need to think about how they are controlling IoT and establishing policies as protective and detective pieces. We must architect our systems with IoT security in mind to fend off cyber-zombies. This means implementing protective and detective measures and avoiding blind spots.
Are You Ready to Go Personal?
Jessica Hebenstreit, Faculty at IANS Research & Director of Security Operations and Infrastructure at Eptura
In my role overseeing cloud environments and incident response, I’m constantly immersed in cybersecurity, making Cybersecurity Awareness Month a topic I hold dear. However, I believe the traditional corporate may not resonate effectively with employees. By combining a personal touch with practical tools like password managers, you can foster a culture of cybersecurity awareness that extends beyond the workplace, enhancing overall online safety for your workforce.
Make it personal: Employees deeply care about their homes, families, and communities outside of work. To engage them in cybersecurity awareness, relate the topic to their personal lives. Show how security practices can protect their loved ones, homes, and the organizations they’re involved with beyond work.
By making it personal, these habits will naturally transfer to the workplace, fostering a safer work environment.
Password Building Strategy: A Smart Hack
Ed Skoudis, Faculty at IANS Research, President at SANS Technology Institute, and founder of Counter Hack
I recommend a new nuance to passwords that aren’t often spoken about– “Adding spaces to passwords”
To increase complexity, spaces can be added anywhere, but placing them at the end can be especially effective. Attackers often overlook them, causing login attempts to fail and potentially lock them out.
Encourage Cloud Adoption for Remote Workplaces
Mike Rothman, Faculty at IANS Research & Chief Strategy Officer and GM of Techstrong Research
Avoid storing data on personal devices: A crucial but often overlooked practice is discouraging employees from storing work-related information on personal devices or using personal email accounts for work purposes. Encourage the use of cloud services provided by the organization for remote work. If these resources aren’t available, make it clear that circumventing controls by using personal devices isn’t an acceptable solution.
Larry Whiteside Jr., CISO at RegScale
Cybersecurity Awareness Month’s new evergreen theme “Secure Our World” is an excellent reminder that each and every one of us has an important role to play in protecting our world against cyber threats. Year over year, this unified and consistent message about cybersecurity awareness will re-instill the collaborative effort needed between individuals and organizations to keep our digital world safe.
Both broad and inclusive, “Secure Our World” encompasses a wide range of cybersecurity concerns and responsibilities relevant to individuals and organizations of all sizes. To build a safer, more trusted technology-driven world, there are some basic principles that everyone can follow to make themselves and those around them more safe:
- Use multifactor authentication wherever possible
- Use passphrases instead of passwords
- Never reuse a password and/or passphrase across multiple sites
- Don’t click on links in emails or texts that you are not expecting
- Financial institutions will never call you. If one does, hang up and call them back from a number you know or can verify from a website or credit card
These rudimentary, but important guidelines, can protect you and your family at school, home, and at work. And, though it’s not a complete list, it’s a starting point to move forward, safely.
Establish a Clear Behavioral Baseline for Users and Devices on Their Network
Tyler Farrar, CISO, Exabeam
There are two major security challenges: compromised credentials and distinguishing between normal and abnormal behavior. Valid credentials, obtained from previous data leaks or breaches, provide threat actors with potential access to sensitive data. Such breaches are often amplified by the inherent difficulty in differentiating between unauthorized and legitimate logins, leading to a widespread notification process that may encompass unaffected consumers.
Addressing these challenges necessitates comprehensive cybersecurity strategies.
Education about safe credential practices and feedback loops, complete network activity visibility, and robust technical safeguards, such as multi-factor authentication, all contribute to a resilient defense against credential-based attacks.
Most importantly, organizations should be able to establish a clear behavioral baseline for users and devices on their network.
Understanding “normal” behavior allows for the identification of deviations that may signify compromised credentials. This approach facilitates faster detection and response to breaches, protecting organizations and their people from potential harm.
Remember- you ought to know your network and your people better than the attackers.
The Basics of Cybersecurity Preparedness Remain Unchanged
Corey Nachreiner, Chief Security Officer, WatchGuard Technologies
As we mark the 20th anniversary of Cybersecurity Awareness Month, it’s a good time to reflect on what cybersecurity is like in 2023 vs. 2003. In 2023, every organization – large and small – should understand that it’s not a matter of if they are going to be a victim of a breach, but when.
While many things have changed from a technological standpoint in 20 years, the basic problems remain the same.
Attackers have always targeted the weakest links in the security chain – unprotected assets, unpatched software, improperly configured devices, weak authentication, and, of course, people.
Now, as in 2003, many attacks could be thwarted by taking some basic protective measures.
Yet, there are still no silver bullets; we will likely never be able to completely stop cyberattacks, but a layered defense and regular cybersecurity awareness training can help to minimize the impact when attackers do strike.
Protect Your Crown Jewels Using Machine Learning and Natural Language Programming
Rehan Jalil, President & CEO at Securiti
This year’s Cybersecurity Awareness Month focuses on the idea that ‘it’s easy to stay safe online,’ reminding individuals that there are different methods to protect personal data from cyber threats across digital environments.
Reinforcing your organization’s cybersecurity foundation for corporate data has never been more crucial, yet many continue to find themselves with increasing silos that can disrupt the way sensitive data is handled.
Amidst the implementation of new technology – like generative AI – the escalating frequency of cyber breaches, the increasing complexities of multi-cloud environments, and the constantly evolving data privacy regulations, an advanced data security solution is critical to protecting the “crown jewels” – sensitive and personal data.
Establishing an optimal security posture goes beyond firewalls, anti-malware, and infrastructure protection – it must also have a data-centric lens. This requires a deep understanding of the entire data environment, data flow patterns, access governance policies, and configuration vulnerabilities.
Traditional discovery and classification tools are grappling to keep up with the explosive growth of data in the cloud, resulting in inconsistent data classification outcomes across architectures and teams.
A holistic data security solution, with DSPM functionality, offers a strategic and efficient solution to address these concerns minimizing potential risks. It encompasses comprehensive discovery of data assets, including shadow and dark data assets, efficient identification and classification of sensitive data through machine learning and natural language processing, resolution of misconfigured data assets, and the provision of insights for secure data access policies.
As we are reminded of the critical need for data security, it is essential to reevaluate the security, compliance, governance, and privacy of sensitive data in tandem.
By implementing a solution capable of comprehensive discovery of data assets, organizations can establish a resilient defense against escalating data threats in our increasingly digital age.
Password-Only Authentication Is Not Just Inadequate, It’s Antiquated
Carla Roncato, Vice President, Identity at WatchGuard Technologies
As we observe the 20th anniversary of Cybersecurity Awareness Month, one thing is certain: attackers know that the easiest path to compromise an organization is through human error and social engineering. In fact, the human element is consistently ranked as one of the top factors driving breaches year after year. According to the Verizon 2023 Data Breach Investigations Report 74% of breaches involve the human element – which is why verifying access requests with multi-factor authentication (MFA) is a necessity for everyday protection. Password-only authentication is not just inadequate, it’s antiquated. The number of stolen credentials available for sale on the dark web surpassed 24 billion last year; for those keeping track, that’s three credentials per human on the planet. No one is immune. Sadly, the Dark Web Price Index shows stolen credentials can start as low as $1, with average prices only going up from there for a broad range of specific categories and options.
Compared to the cost, disruption, and overall negative business impact of a data breach or ransomware attack, MFA is not only incredibly affordable but easily worth the effort to implement. #MFAeveryday.
Security Teams Must Learn to Leverage Generative AI
Rich Lilly, Director, PS Security at Netrix Global
LLMs can help teams accelerate investigations by delivering clear, language-based guidance to help security teams respond with recommended actions or, in some cases, take steps based on detections. In the past, this process typically required additional vetting from a security analyst before taking action.
Organizations can leverage Generative AI to help shift from a response-initiated action approach with their SOCs and integrate capabilities like threat hunting, vulnerability management, and incident response plans, which were typically siloed processes conducted by different teams in the past. But by leveraging a common set of APIs, tools, or LLMs, organizations can access these data points in one fell swoop and even make references, look, and tag to service that data up into the specific instance that’s going on.
Always Stay One Step Ahead of Threat Actors
Stephen Gorham, COO, OPSWAT
Data breaches and cyberattacks loom over every organization’s digital attack surface, and staying ahead of the curve has become not just a priority, but an absolute necessity. With the evolving threat landscape, it’s crucial to adopt a proactive approach to cybersecurity that covers every facet of your IT network and operations – and Cybersecurity Awareness Month is a good reminder of that.
Threat actors are becoming increasingly sophisticated, leveraging malware as an initial foothold to infiltrate targeted infrastructure and execute their attacks. To combat these threats effectively, organizations must embrace actionable threat intelligence. This intelligence is garnered through advanced technologies and processes, including sandboxes, and advanced malware analysis. By staying one step ahead of threat actors, organizations can detect and respond to threats before they escalate into full-blown crises.
The cybersecurity landscape is evolving at an alarming pace, and organizations must adapt accordingly. Comprehensive visibility, employee awareness, proactive threat hunting, and actionable threat intelligence are indispensable pillars of a robust cybersecurity strategy and are just a few areas that organizations should keep in mind as they build their cybersecurity resilience.
Georgia Weidman, Security Architect at Zimperium
Classically, professionals entered cybersecurity as network or system admins as programmers. The admins traditionally come from a more technical training background (but not always) and the programmers traditionally come from a more Computer Science (CompSci), Computer Engineering (CompEng), or Software Engineering (SoftEng) background (but not always).
At the beginning of their careers, it’s often the more technically trained people who get out of the gates the fastest. They know the tools, they often know the techniques, and they have usually been exposed to many of the practices, so picking up a specific environment’s tactics, techniques, and procedures is pretty easy. The more generalist CompSci/CompEng/SoftEng folks have a good understanding of theory, but not so much experience in practice, and their initial learning curve is often steeper. Thus, they get out of the gate more slowly. That said, as they move forward with their careers, the depth and breadth of knowledge they picked up in their degree programs will likely come into play for solving more complex problems.
For people who want to do nothing but the hands-on elements of cybersecurity, any of these paths work and after a few years in the trenches, the individual practitioners do not really stand out on the basis of their respective backgrounds. However, it is often the case, that, having spent time in the trenches, some practitioners will realize that their tools do not do all that they would like them to do, and they are inspired (or cursed) to attempt to build their own tools. Generally speaking, the programmers with those more general CompSci/CompEng/SoftEng degrees will have an easier time ramping up their efforts to actually write software instead of just using it. Writing performant, scalable, secure, relatively bug-free, user-friendly code is an entirely different skill set than cybersecurity, so building cybersecurity tools benefits from the theory and practice afforded by the more general degrees. Again, some folks from the admin path or the cybersecurity degree will excel at this, there’s no one true path, but in general, at a sufficient scale, these principles are useful guides.
Some number of the folks will eventually decide that they want to move into management, and, I’m sorry to say, very little any of these college programs would have taught them anything about how to be an effective leader or manager — or that there’s a difference.
And some number who previously made the leap into tool makers will decide that they should be entrepreneurs and turn their tools into startups.
In the end, the best bet is to thoroughly explore your options and find the degree program that truly resonates with your wants and desires. In cybersecurity, your career is informed by your degree but not defined by your degree. Whichever path you take, the only real guarantee is that you will not know enough and you will be learning every day you pursue this career.
So, learn to learn.
And, then get out here and help us make everyone more secure!
What Should Cybersecurity Teams Expect in 2024?
Research shows that the cybersecurity intelligence industry has lagged behind the cybercrime industry.
People make mistakes in attributing their organization’s inability to identify and solve cybersecurity threats to poor technology. 85% of data breaches are caused by human errors. 25% of employees report they have fallen for a phishing email. There are different schools of thought that govern cybersecurity practices in the workplace. Creating a vocal and omnipresent cybersecurity training program with adequate digital resources for educating employees and customers is the need of the hour. As cyber criminals weaponize generative AI tools to target organizations and individuals, this October Cybersecurity Awareness Month planner should focus on understanding the human psychology of threats and AI’s role in preventing these events.
[To share your insights with us, please write to firstname.lastname@example.org]
*Editor’s note: Entrust’s commentary was earlier attributed to Mike Baxter. It has been changed to James Lapalme based on the company’s request.