Since 2004, the National Cyber Security Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance have used October as an opportunity to raise awareness about cybersecurity and its critical importance for organizations of all sizes, across all industries.
There’s just one problem: there are only 31 days in October, and that’s not nearly enough for any real, long-lasting change to happen. Does it mean the Cybersecurity Awareness Month initiative is pointless? Not at all! The lessons learned this month are like seeds. When planted and watered, they can grow into something significant.
Reflecting on a Difficult Year
With the year 2021 approaching its end, now is a good time to look back and reflect on how the cybersecurity landscape has changed since the last Cybersecurity Awareness Month.
By analyzing the path walked so far, we can gain the ability to anticipate what will be around the next corner and prepare accordingly ahead of time. If we don’t do that, we make it far too easy for cybercriminals to be one step ahead, and that’s a very dangerous place for them to be.
New Hybrid Work Reality
Even though it will soon be two years since the original outbreak of the COVID-19 pandemic, a full return to the office hasn’t happened yet, and perhaps it never will. Research findings published in the July 2021 Netskope Cloud and Threat Report indicate that 70 percent of users continue to work remotely in some capacity as of the end of June 2021, which is a massive increase from the 30 percent working remotely before the pandemic.
The global shift to hybrid work has become a source of many difficult cybersecurity challenges. How can remote employees securely access the information they need to do their jobs? How to protect endpoints located outside the corporate network? How to address the threats associated with the cloud?
Growing Threat of Data Breaches
The questions above are just a small sample of what most decision-makers have been preoccupied with this year when it comes to cybersecurity. The importance of answering such questions is evident when we consider recent data breach statistics.
According to a data breach analysis conducted by the Identity Theft Resource Center (ITRC), publicly reported data breaches are up 38 percent in the second quarter of 2021, compared to the first quarter. Cognyte’s Cyber Threat Intelligence Research Group’s 2020 Annual Cyber Intelligence Report revealed that the number of ransomware attacks nearly doubled in the first half of 2021, and the average cost of remediating a ransomware attack increased as well.
Everyone’s a Target
But it’s not just that attacks are becoming more frequent—they’re also becoming more sophisticated and targeted. “We’ve seen attackers move from larger scale, generic, automated attacks to more targeted attacks that include human hands-on-keyboard hacking,” said Chester Wisniewski, Principal Research Scientist at Sophos. “Our experience shows that the potential for damage from these more advanced and complex targeted attacks is much higher.”
In the past, targeted attacks affected almost exclusively large enterprises, but that’s no longer true today. Cybercriminals understand that SMBs collect lots of valuable data while often lacking the resources, expertise, and motivation to secure it properly. They also know that SMBs can serve as entry points for attacks on larger companies, as exemplified by the Target breach, in which hackers stole data from up to 40 million credit and debit cards of people who shopped at Target during the 2013 holiday season.
Our Infrastructure Is at Risk
As we reflect on what has clearly been a difficult year, we mustn’t forget that cyber attacks on critical infrastructure are increasing at a worrying pace, and it’s almost a miracle that they haven’t yet resulted in a large loss of human lives.
The Colonial Pipeline attack will remain in memory for a long time because it caused a prolonged shutdown of the largest fuel pipeline in the United States, forcing the Federal Motor Carrier Safety Administration to issue a regional emergency declaration for 17 states and Washington, D.C. Unless critical infrastructure operators and all organizations they work with take the necessary steps to prevent similar attacks from happening again in the future, who knows what can happen.
Awareness Is Only the First Step
For next year to be better than this one, organizations must dedicate more than just one month to increasing their cybersecurity awareness. They must incorporate cybersecurity as part of their organizational strategy to protect themselves, their customers, and their partners.
That’s not an easy task, but it’s not impossible to complete either. The trick is to approach it methodically and proceed one step at a time, instead of rushing an implementation of a hastily selected cybersecurity solution that may or may not deliver the desired result.
1. Uncover Areas of Weakness
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle,” said the ancient Chinese general Sun Tzu.
This nugget of wisdom is something all organizations whose goal is to incorporate cybersecurity as part of their organizational strategy should remember. The enemy, in this case, isn’t just some shadowy hoodie-wearing figure behind a computer. It can also be employees themselves. Regardless of whether knowingly or unknowingly, their actions can lead to all kinds of cybersecurity incidents.
To uncover all areas of weakness, start by identifying all hardware, software, and network components. Map out how they’re used and determine all legitimate users and applications that rely and run on them. Think like an attacker and consider which potential points of access can be exploited most easily.
2. Implement Appropriate Controls
To implement appropriate controls that improve an organization’s security posture without negatively affecting its productivity or draining its budget, it’s necessary to have an implementation plan based on the information gathered when assessing the organization’s current security.
All organizations are unique, and there’s no such thing as a one-size-fits-all plan for addressing uncovered vulnerabilities. They should, however, always start with essential cybersecurity practices, such as keeping software up to date, using strong passwords and authentication schemes, encrypting data at rest and in transit, regularly backing up all data, and planning for mobile devices.
From there, they can consider the implementation of more specific controls, such as automated vulnerability scanning or advanced endpoint protection. Generally, the smaller an organization is, the more it should focus on getting the basics right before spending money on cybersecurity products that are effective only when administered by someone with the right skills and knowledge.
3. Build a Cybersecurity Culture
Cybersecurity is a multi-layered problem, but the human layer of information security is often overlooked. To highlight its importance, the entire fourth week of this year’s Cybersecurity Awareness Month is dedicated to it.
Organizations are advised to “make cybersecurity training a part of employee onboarding and equip staff with the tools they need to keep the organization safe.” The purpose of cybersecurity training is to help employees recognize the threats they face, developing a more resilient workforce that doesn’t easily fall for obvious phishing scams and doesn’t neglect basic practices.
When employees know the security risks they face and know how to avoid them, and become a strong element in the cybersecurity chain, united by shared knowledge, beliefs, perceptions, attitudes, assumptions, norms, and values regarding cybersecurity. What emerges then is a cybersecurity culture spanning the entire organization.
Cybersecurity Awareness Month is a welcome reminder that cyber threats are evolving at a rapid pace, requiring organizations to keep improving their defenses. Most of the trends that emerged with the outbreak of the pandemic have continued well into 2021 and will almost certainly stretch into 2022 and beyond, including the proliferation of hybrid work, targeted attacks on organizations of all sizes, and others. Organizations operating in this dangerous cybersecurity landscape must make security their top priority and dedicate the entire year to it—not just one month. By understanding the importance of cybersecurity awareness, organizations can start uncovering areas of weakness, continue with the implementation of appropriate controls, and ultimately end up with a healthy cybersecurity culture.