Originally Published in CISO MAG
Like every year, CISA and the National Cyber Security Alliance (NCSA) are hosting the National Cybersecurity Awareness Month 2021 in the U.S. to raise awareness on the importance of cybersecurity and alert stakeholders of the internet about multiple security threats such as phishing, cryptocurrency mining, BEC, ransomware, and much more.
This year, CISA continues using its overarching theme: “Do Your Part. #BeCyberSmart.” While it is important to campaign for Cybersecurity Awareness Month in October, every individual needs to commit to sharing knowledge to reduce cyberthreats and value cybersecurity throughout the year.
Brian Pereira and Pooja Tikekar from CISO MAG sought insight from some of the industry experts on ways to fight phishing attacks, improve the cybersecurity posture, and be cyber aware. Here’s what they have to say:
- Implement accurate data backup.
Sandeep Bhambure, Vice President & Managing Director- Veeam India & SAARC: “The resurgence of ransomware attacks in India has posed a great threat on various organizations, compelling them to re-evaluate and renew their data protection strategies. We believe the first step towards building resilient infrastructure is educating stakeholders and implementing accurate data backup and protection solutions/techniques. Further, devising an effective contingency strategy to mitigate the impact of the threats is equally important.”
- The attitude of being tied to certain qualifications must change.
Romain Lecoeuvre, CTO- YesWeHack: “When it comes to specialized security education – it’s clear there remain limitations in terms of the quality and volume of what is accessible. A huge number of those that have taught themselves are still denied access to positions in the field of cybersecurity due to their lack of diploma or because they do not have the right credentials. The reality is, when it comes to ethical hackers at least, many of them are in fact self-taught. This attitude of being tied to certain qualifications must change if a wider pool of available talent is to be tapped into. By adopting new methods of identifying competencies, both within an organization and externally, the door is open to make the most of existing, but often underutilized skills. In doing so, the industry, as a whole, is better equipped to address the cyber challenge of tomorrow.”
- You won’t find yourself getting stagnant in cyber!
Simon Eyre, Chief Information Security Officer and Managing Director- Drawbridge: “If someone is thinking about a career in cyber, it’s a field with some really terrific sources of information available across the Internet. Cybersecurity has built up quite a respected community across Twitter in particular and you can regularly get involved in a thread regarding the latest events in the world of security and learn from others how they got into their careers. I strongly believe that cyber tends to be something you need to enjoy. It’s an engaging role; you’re constantly evolving and learning no matter what aspect of it you decide to study and work in. You won’t find yourself getting stagnant in cyber! Coming from a technical past is an obvious way into cyber but there are roles for those in finance, legal, compliance, logistics, auditing, and other security fields. It’s far more diverse than many realize.”
- It is essential employees feel comfortable reaching out to the information security teams.
Safi Raza, Director of Cyber Security – Fusion Risk Management: “Organizations are spending more than ever on cybersecurity. The increase in adoption of Next-generation firewalls or utilizing Firewall as a Service (FWaaS) has helped fortify the digital parameters and has forced hackers to alter their attack methods. The bad actors are finding it much easier to infiltrate networks through phishing attacks. The FBI reported a 110% increase in phishing attacks in 2020 compared to a year before. The Verizon Data Breach Investigation Report (DBIR) associated 43% of breaches in 2020 involved phishing. Phishing remains the most significant threat in 2021. The truth is that most sophisticated anti-phishing tools are not 100% effective. A considerable number of phishing emails always manage to pass through the checkpoints. More needs to be done to fight this type of attack. The annual security awareness training and periodic phishing campaigns are no longer enough. Creating a security-focused culture, frequent interactive cybersecurity exercises and games, security ambassador programs, lunch and learn events, etc., helps spread awareness. Additionally, it is essential that employees feel comfortable reaching out to the information security teams for any anomaly they have noticed without feeling embarrassed if the alert turns out to be False-Positive.”
- Phishing messages can be tricky to avoid.
Shena Tharnish, VP of Cybersecurity Products- Comcast Bussiness: “Phishing emails can come in many forms, whether it be impersonating someone you know, an urgent request from your bank, or a fake audit notification from the IRS during tax season. Many phishing emails look like they are coming from a legitimate sender, but if you view the actual sender email address rather than the alias, you’ll see that is far from legitimate. These phishing messages can be tricky to avoid, but if it feels a bit “off,” or doesn’t seem quite right, then follow your instincts and find a safe way to verify the email. If you don’t know the sender, don’t click on the link.Be especially wary if you’re asked to provide any personal information, like your social security number or password, in an email. Most companies will not send you an email asking for such sensitive information. Check for slight variations in spelling or format in the domain name that you may miss at first glance. If you are unsure or don’t know the sender, verify by reaching out through an alternate method (not by hitting reply).”
- The Internet is a physical thing. It’s not magic.
Noel Calhoun, CTO – Interos (former CTO of the CIA): “Companies need to expand their definition of cybersecurity to include all the nested dependencies in their digital supply chain. We often focus on endpoint protection: phishing, ransomware, DDOS. But there are other more systematic ways for a knowledgeable attacker to make your day miserable. The Internet is a physical thing. It’s not magic. Your data is being routed over physical fiber optic cables and through machines sitting in real data centers and peering exchanges. Those physical parts of your supply chain get way less attention than they should. Just ask any customer of AT&T, when a domestic terrorist took out a telco hub in Tennessee in 2000 or Facebook when some BGP configuration errors shut down 3 of the largest social media platforms for the entire world. Having a truly resilient digital infrastructure involves actively investigating and understanding the supply chain for services you may take for granted.”
- Opt for an ongoing training mechanism that is engaging and interactive.
Argha Bose, Head Cybersecurity and Risk Business – TATA Advanced Systems Limited: “Cyberattacks and their level of sophistication are steadily on the rise. Stakeholders are constantly evaluating technologies to implement and maintain cybersecurity defenses that further need to be optimized due to the COVID situation. As per Global Workforce Analytics, approximately 30% of the workforce is expected to work remotely by the end of 2021, which, in turn, has accelerated the use of potentially vulnerable services like VPNs and unpatched Windows machines. Furthermore, the lack of privacy at home is amplifying the threat layer. These technologies might provide the much-needed defense, but since human errors contribute to almost 95% of all data breaches, Security Awareness Training becomes a critical element that can’t be ignored. Along with creating state-of-the-art security software using automation, machine learning, and advanced threat intelligence, an organization needs to opt for an ongoing training mechanism that is engaging, interactive and covers multiple topics like phishing, ransomware, BEC, and physical security. This can be the best way to equip employees with the knowledge to spot and effectively respond to cyberthreats.”
- Automate and centralize security processes.
Josh Rickard, Security Solutions Architect – Swimlane: “Cybersecurity Awareness Month serves as a timely reminder for companies to reevaluate their cybersecurity posture after a tumultuous year of cyberattacks across industries. The dramatic spike in ransomware and supply chain attacks illustrates that every company, regardless of vertical, is a software company and security will only continue to rise in importance when it comes to ensuring the continued operations of the business. To protect valuable information and prevent breaches, enterprises must invest in multi-faceted platforms that centralize and automate detection, response, and investigation protocols. Security teams need full visibility into IT environments and the ability to respond in real-time to limit the consequences should a cyberattack occur. By automating and centralizing security processes, organizations can reduce the chance of human error while achieving infinitely smoother execution of security-related tasks and ultimately ensuring that highly-sensitive personal information is kept safe and secure.”
- Implement zero-trust for APIs.Nathanael Coffing, CSO – Cloudentity: “Modern organizations are sharing data over APIs to digitally transform and rapidly bring new services to market. APIs are connecting with internal and external services, transferring sensitive data with users and partners across the hybrid cloud. Consequently, organizations are facing increased cyber risks and a growing attack surface. Legacy identity and access management (IAM) tools cannot protect and secure identities working in modern applications, much less multi-cloud infrastructures. Gartner predicts that APIs will be the most frequent attack vector by 2022. Implementing zero-trust for APIs to protect against known and emerging threats like broken object-level authorization or broken authentication means building a strong application identity along with a strong user identity, as well as protecting sensitive data with fine-grained authorization. Properly assessing and mitigating risks at the API level can also allow organizations to enhance the user experience with transactional Authentication/ Authorization and fine-grained consent management. Cybersecurity Awareness Month shines a light on the changing state of cybersecurity. Prioritizing cybersecurity and adopting these modern capabilities is no longer optional as digital transformation accelerates.”
- Move away from obsolete authentication methods.
Robert Prigge, CEO – Jumio: “The amount of large-scale cybersecurity breaches we’ve witnessed in the last year highlights just how creative cybercriminals will get to steal sensitive data and sell it on the dark web. The number of reported identity theft cases more than doubled from 2019 to 2020, while the number of reported data breaches escalated 38% from the first to the second half of 2021. With traditional online verification tools such as knowledge-based authentication and passwords, organizations will continue to place consumers’ personal information at risk of being compromised. Cybersecurity Awareness Month encourages security leaders and executive decision-makers to modernize their security practices in order to adapt to the increased sophistication of fraudsters. In today’s cybersecurity climate, organizations must move away from outdated, obsolete authentication methods and implement more advanced identity verification solutions, like face-based biometric authentication, that confirm online users are truly who they claim to be. This month is also important for educating consumers on how to safeguard their digital identity and manage personal data consent rights online. These best practices are crucial to keep data away from the hands of malicious actors.”
- Implement a unified cloud security platform.Anurag Kahol, CTO & Co-Founder – Bitglass: “From cloud misconfigurations exposing massive amounts of sensitive data online to ransomware attacks severely impacting critical infrastructure, this past year has underlined the inherent lack of proactive security across organizations of all sizes. As we move toward a new era of hybrid operations post-pandemic, the sophistication and frequency of cyberattacks will only continue to increase at an exponentially higher rate. Organizations must be prepared to face the evolving threat landscape to protect their employees, corporate infrastructure, and sensitive data. International Cybersecurity Awareness Month serves as a reminder for enterprises to make security a strategic imperative. A vigilant security posture starts with implementing a unified cloud security platform, like secure access service edge (SASE) and security service edge (SSE), that replaces various disjointed point products and extends consistent security to all sanctioned cloud resources while following a Zero Trust framework to prevent unauthorized network access. Additionally, enforcing comprehensive cybersecurity training for all employees, hiring security experts, and continuously monitoring and enhancing cybersecurity postures will ensure organizations are properly equipped to defend their modern operations.”
- Companies are still not prioritizing cybersecurity.
Matt Sanders, Director of Security – LogRhythm: “Cybersecurity Awareness Month serves as a great reminder for enterprises to recognize the importance of securing their organizations against today’s top security threats. This year has been a hotbed for cybersecurity hacks and breaches, with increased attacks on our government and critical infrastructure entities like we have seen with the Colonial Pipeline, Solarwinds, JBS, the attacks on California and Florida water systems, and many others. Though attacks continue to rise in numbers and impact, companies are still not prioritizing cybersecurity. A report earlier this year found that just 7% of security leaders report directly to the CEO, revealing an inability for security leaders to influence real change within an organization. In order for organizations to achieve the necessary organizational visibility and influence to effectively build a security program and mitigate increasing threats, security leaders such as CISOs and CIOs must report directly to the CEO. This structure allows the CISO to directly communicate potential risks to the organization, mitigate potential risks and influence each function in the organization to create greater security awareness.”
Originally Published in CISO MAG