Cybersecurity Awareness Month isn't just a marketing shtick. It's one of the best opportunities to share insights and best practices with the industry and organizations that may not be up to speed on the latest in cyber. We heard from cybersecurity experts from around the industry on a plethora of topics that organizations should keep top of mind as they sprint towards the end of 2022. Melissa Rhodes, Executive Director Human Resources at Raytheon Intelligence & Space
“It’s time for the security industry to expand in more ways than one. Specifically, it will benefit from deliberate leaders who have the self-awareness to question hiring choices. Giving one job candidate an edge over the others because of “cultural fit” or “gut feel” can all be signs of unconscious bias creeping into those decisions. If the cyber industry doesn’t recognize this, it will limit the creativity that goes into brainstorming, problem solving, and new ideas that are essential for fighting cybercrime. In fact, the business case for diversity is well-documented - a study conducted by the Boston Consulting Group indicates that diversity increases innovation, expanding ideas and ultimately impacting a company’s bottom line. In response, the security industry as a whole must be committed to giving opportunities to grow and learn to all those who have unique backgrounds that could also lend themselves to a successful cyber career. Because cyber attacks don’t discriminate, it will require a diverse thinking to counter them and protect our way of life. Of course the demand for cyber talent is relevant now more than ever as the number of attacks increase and the skills gap grows wider. Interestingly enough, we find ourselves amidst a time called the “Great Resignation,” a time when people across all workforces are reinventing themselves and outgrowing their current roles and professions. This market environment combined with the need for new talent in the security industry should push cyber employers to think outside the box and source hires from new places. With this comes a tremendous opportunity for not only the industry to benefit from greater diversity, but for people with all different experiences to find purpose within the cyber workforce.” Rick McElroy, Principal Cybersecurity Strategist, VMware
“Between Log4j, cyberattacks on Ukraine, and ransomware hitting hospitals and major school districts, it’s more evident than ever before that cybersecurity is no longer just a focus for defenders, but for society at large. As cybercriminals evolve their tactics, we all must recognize the role we play in cyber and view it as everyone’s responsibility. For security professionals and their organizations, this means evolving defense strategies and updating training curriculum to address emerging threats. For example, training on how to spot and avoid audio and video deepfakes is not part of most security awareness training programs, despite two-thirds of defenders witnessing a deepfake attack over the past year. Defense strategies should also factor in lateral movement, when an attacker gains control of one asset and moves on to others within the same network. Employees should remain extremely vigilant on business communications platforms, like instant messaging services, text or email, which can be used as a means for hackers to rummage inside networks and compromise an entire organization. Defense must continuously evolve in order to stay one step ahead of today’s sophisticated attackers.” Michelle Killian, Senior Director, Information Security, Code42
“The cybersecurity industry, from a talent diversification standpoint, is doing better than it was even five years ago — but there’s still a long way to go. For years we’ve been saying that the industry needs to “rethink job hiring,” yet many continue to list out the countless certifications they expect candidates to have when applying for an open role. If we really want to make a change, we need to actually rethink hiring practices. There’s 3.5 million unfilled job openings in cybersecurity – we can’t continue to ask for a master’s degree and a decade of experience for each and every opening. Curiosity and a willingness to learn are key traits we want in candidates, and these skills are harder to train on, so let's build job roles off of those skills instead. We also need to look for people with diverse backgrounds and diverse leadership styles so we can tap their varied experiences and elevate problem-solving in our industry. In the year ahead, I hope that we can bring more awareness to truly hiring based on some of these intangibles, rather than purely on security skill set, while also placing more of a focus on retaining existing talent. The cost of replacing security talent is incredibly high — both from an investment standpoint and a knowledge basis. It can take months, maybe even a year, for security folks to fully get up to speed on how a security team operates and its many tools. However, with the current job market, it’s increasingly difficult to retain security talent and reduce turnover. While there’s no silver bullet to combat this, organizations should promote opportunities for growth and development to attract and retain the very curious individuals that make security teams strong and diverse.” Gustavo Palazolo, Staff Threat Research Engineer, Netskope
“Attackers are always looking for loopholes to infect networks and steal a valuable asset: your data. Ransomware-as-a-Service (RaaS) groups often exploit basic flaws in security policies and network architecture to infect as many devices as possible, stealing and encrypting data to extort organizations and individuals. Basic steps can be taken to prevent attacks, such as using Microsoft LAPS to generate unique passwords for local administrator accounts and implementing a security policy to enforce multi-factor authentication and strong passwords for domain accounts. Also, avoiding using default passwords for new accounts and implementing a Zero-Trust model can minimize possibilities for lateral movements within the network.” Clive Fuentebella, Threat Research Engineer, Netskope
“Being our first line of defense, passwords should not be taken for granted. We must always take proper password hygiene into consideration in our daily lives. Use strong passwords. Ensure that you are not using the same one for different accounts or different applications. If you are worried about the burden of remembering multiple credentials at once, installing password managers is always a big help. These steps, albeit simple, already contribute largely to securing your online information.” Bec McKeown, Director of Human Science, Immersive Labs
“The theme of this year’s Cybersecurity Awareness Month, “See Yourself in Cyber,” is particularly meaningful as it emphasizes the power that all people have in their organization’s cybersecurity efforts. An organization can have all the latest technology and tools in place, but without a cyber resilient workforce, its security posture can be entirely unsuccessful or faulty. That’s because, at its foundation, successful cybersecurity is about people. Business leaders should ask themselves: are we ready for the next cyber attack, and how do we know? The current capabilities of their organization and work to strengthen them. From a psychological perspective, leaders should tap into the four pillars from the Robertson Cooper Model: purposefulness, social support, growing self-efficacy, and adaptability, to inspire change and commitment to strengthening cybersecurity skills throughout their organizations. Leaders also need to be able to prove cyber readiness of the individuals and teams throughout the organization. The difference that individuals and teams can make in strengthening or weakening cybersecurity efforts, regardless of job title or role, is remarkable. It’s time for leaders to lean into their employees’ capabilities with a new level of rigor. By tapping into the people-centric approach leveraging real-life cybersecurity simulations that span from executives down to the most technical teams, organizations will be better able to unlock new levels of cyber resilience and preparedness.” Kathy Ahuja, Vice President of Information Security, Qumulo
“Often, business leaders believe that a heavy security posture is the only way to communicate to your customer that you are protecting their organization from a data breach. But that’s not necessarily true. It’s not a matter of if, but when they’re going to be breached. Of course, having strong security practices like increased visibility into workloads and being able to detect threats is essential, but what good are these functions if you’re not able to ask your customer: Do you trust us to protect your workloads? Trust and transparency are the most critical underpinnings of the data protection relationship with your customer. Do you trust us to make the right decisions when things inevitably go wrong? Industry-standard security certifications are critical, but trust is earned through the conversations you have and the relationships you've built with your customers.” David Friend, co-founder and CEO of Wasabi Technologies
“Time and money are the two biggest resources spent on preventing ransomware and other malicious cyber attacks for companies in every industry, yet we still continue to see these schools, hospitals, businesses and more shutting down, losing money, and struggling to recover after paying millions to hackers. The smartest companies operate under the assumption that an attack will happen at some point, but cybersecurity doesn’t have to be scary. In fact, avoiding ransomware attacks and protecting data can be done easily if businesses take a couple of easy measures. First, it’s important to have multiple copies of data as backups so not all of their eggs are placed in one basket, so to speak. Adopting a 3-2-1 backup approach will ensure three copies of data are made, with two stored onsite and one off-premise, or in the cloud. This prevents hackers from accessing data stored in each location, allowing businesses to continue operating during an attack, preventing downtime. Another important step is for companies to protect their data by leveraging object-level immutability, which ensures certain files cannot be modified or deleted by anyone. This helps keep files safe against disruption, and helps prevent ransomware attacks from the start, where bad actors attempt to encrypt the data.” Daniel Elkabes, Vulnerability Research Team Leader, Mend
“Developers are under a lot of pressure to get software, applications, and products out quickly. Expedited work timelines, increased demands, and simple human error can result in developers unintentionally using open source code that has malicious packages, opening the doors for threat actors to sneak in. Cybersecurity Awareness Month is an important time for organizations to re-examine the security training they offer to employees, particularly those whose team members are not part of the security team. For developers, organizations should prioritize hands-on, visual training so developers can see how quickly and easy it is for something to go wrong from a simple coding mistake. This will help reiterate the importance of regularly managing open source components and all their dependencies, and how this helps avoid putting the organization at risk. In addition, developers should proceed carefully and dedicate more time to ensure they’re implementing the correct packages that are free of any malware or vulnerabilities. To do so, developers should view the package to ensure that it is safe.” Alfredo Hickman, head of information security, Obsidian Security
“This year’s Cybersecurity Awareness Month theme reminds us that it can be simple to browse the internet securely as long as we’re good at the basics. At a minimum, that means using password managers, multi-factor authentication, browser security plugins (ad blockers, HTTPS everywhere, etc.), and keeping all of your software (browser, plugins, OS, apps) up to date to bolster your personal online security. Conduct regular security and privacy settings reviews for sensitive accounts such as financial, productivity, and social media while removing any unnecessary third-party app access to those accounts. And of course, don’t share sensitive personal details such as travel plans, major purchases, or sensitive activities on social media. Less is more. Going further, it’s also important to be aware of the growing cyber threats that threaten individuals and organizations alike. When dealing with suspected social engineering attacks such as phishing for example, take a step back, assess the message, and don’t respond. When it comes to suspicious account requests such as PayPal, e-commerce, or other scams, investigate the requests by going to the vendor’s official website directly. In either case, never click on suspicious links or attachments; they are often malicious. These steps may sound simple, but consistent vigilance goes a long way towards staying safe online.” Mark Nunninkoven, Distinguished Cloud Strategist at Lacework
“Security is a top priority for any organization. For organizations moving to—or born in—the cloud, there is an opportunity to change how they view security. These organizations can modernize their approach to align their security practice with their business needs. A common pitfall when organizations take this approach—and they should be taking this approach!— is that they oversimplify how their organization uses the cloud. The reality is, things are still messy, and accounting for cloud projects across an organization at varying phases of maturity is still really difficult. The core of the problem is that organizations aren’t on just one journey. Every team that’s building a solution is on its own journey, at its own pace – and that means a whole host of different threats to prioritize and manage, from data breaches to insecure interfaces and account hijacking. To be effective, security teams need to be able to address each of these threats in a manner that works for every team in the organization, regardless of their maturity level. That’s a tall order, but it’s one that can be filled. The first step is understanding these maturity levels and beginning to work through a Cloud Adoption Framework. The output of this effort is business-wide mapping that determines key stakeholders and teams across the company and identifies how the security practice can support their work, while also keeping the organization safe.” Heather Crosley, People Operations Leader at NetSPI
“With over 700K positions that currently need to be filled, the cybersecurity industry is facing a massive shortage of talent as companies are struggling to keep up with an ever increasing number of threats. Technology cannot solve our greatest cybersecurity challenges – at least, not alone. People are our greatest asset in providing security for individuals, organizations, and the nation. Cybersecurity Awareness Month is a great time to reflect on our cybersecurity hiring and education practices – particularly the areas of improvement. These practices are instrumental in addressing the lack of skilled talent in the industry and easing barriers to entry. Organizations that invest heavily in entry-level training programs that offer mentorship, growth opportunities, and hands-on experience in the field will see greater retention rates. Investing in the next generation of cybersecurity professionals provides an advantage over today's sophisticated threats.” Matt Moynahan, President & CEO, OneSpan
“We’ve already begun to see how a lack of security and identity protection is manifest in the development of Web 3.0. This issue of fake users and bots, already endemic throughout today’s internet, is likely to plague future digital interactions. Following the Covid-19 pandemic, many companies saw first-hand the necessity for security parameters around virtual meetings. This cautious and security-first approach must also be applied to future digital interactions within Web 3.0. Often, security has been focused on securing end-to-end processes. However, the growing threat of deepfakes shows there’s been a lack of securing and authenticating the actual interactions between people or companies. Organizations must take a step back and recognize how they are exposed as they transition to Web 3.0. The answer rests on authenticating and identifying all involved parties, and unfortunately, companies like DocuSign continue to fall short in their efficiency benefits with no emphasis on the authentication and validation needed with all types of digital transactions and collaborations. Good cyber awareness means acknowledging these risks and applying them to our digital lives. As we see new attack vectors emerge, they will require a fundamental realignment of today’s security paradigms to identify, verify and secure Web 3.0.”
Iryna Bondar, Fraud Operations Team Lead, Veriff
Cybersecurity threats are often seen as vicious malware and viruses, sneaking through holes in companies’ systems or brute-forcing their way through carefully crafted defenses which often prompts businesses to prioritize defending against direct attacks from threat actors. But what happens when systems are fooled into thinking that those threat actors are someone else – like an employee at that company? Whether impersonating a C-Suite executive or customer, improper identity verification protocols can leave gaping – and often overlooked – holes in companies’ security strategies, allowing unauthorized users to masquerade as someone they’re not and access unauthorized information. From onboarding new employees and customers to daily use of internal programs, a robust identity verification program is an essential component of an effective cybersecurity strategy. ###