Cybersecurity Awareness Month, which has occurred every year since October 2004, does precisely what its name suggests. It serves as a reminder of the sector’s importance for businesses and consumers across the globe.
It also highlights just how important the industry is in keeping today’s enterprises running.
2023 represents another year where threats have continued to grow in tandem with our own efforts to contain them.
AI-generated threats are the most significant issue on Paul Inglis, SVP, EMEA at ForgeRock’s mind: “AI is being increasingly weaponised against businesses and consumers to conduct ultra realistic and highly targeted phishing campaigns. It’s increasingly difficult to spot what’s real from what’s fake. While we’ve seen some politicians and celebrities mimicked to cause reputational damage, many other deepfakes are being circulated to steal money or credentials. And all a hacker needs is an Instagram story or a TikTok video to create an audio and video likeness in a matter of seconds.”
Simon Horswell, Fraud Specialist at Onfido, shares Paul’s concerns: “Fraud continues to rise to new levels, enhanced over the last year by the impact of generative AI. Fraudsters are using it to craft scams such as fake IDs, voice cloning, and deepfakes, and as bad actors adopt the latest technology for offensive means, identity verification companies such as Onfido have put in place many defences and are continuously monitoring and mitigating new fraud vectors.”
While AI-generated threats are extremely apparent, the same ‘older’ threats are still just as dangerous. F5‘s Threat Research Evangelist, Sander Vinberg, sees credential stuffing as a particularly pertinent: “Credential stuffing is widely recognized as a fundamental source of cybersecurity risk. It is, in essence, a numbers game.” However, the only silver lining is that the process remains somewhat inefficient: “It hinges on the fact that people reuse passwords, but the likelihood that any single publicly compromised password will work on another single web property is still small.”
Credential-based threats are also front of mind for Renske Galema, Area Vice President Northern Europe, CyberArk, who states: “High-profile cyberattacks using stolen or leaked employee logins to breach and hijack entire IT systems are on the rise, but over half (55%) of UK workers still use insecure practices to keep track of their credentials, causing headaches for security teams. Amid ongoing economic turbulence and a continued cyber skills gap, threat actors are continually innovating to access critical data and assets to cause monetary and reputational damage.”
Insider threats are another vulnerability that have continued to pester CISOs everywhere. Lacework’s CISO, Lea Kissner shares this sentiment: “Insider threats should always be top of mind for CISOs. I worry about what someone can do if they managed to take over an employee’s access (e.g. malware, account hijack), that they might hurt our customers or our co-workers.”
While CISOs face an abundance of new threats, its imperative that they afford the ‘older’ threats the same focus, as they present just as much danger as newer methods.
As more companies move towards IoT-connected solutions to evolve their business capabilities, David Collins, Product Management EMEA at Cradlepoint, recognises that: “The best option for them is a converged network and security solution, optimised for 5G, which includes secure access services edge (SASE) principles. As part of these, the Zero Trust Network Access (ZTNA) principle provides a great foundation where the network plays a major role in protecting IoT devices.”
Online transactions aren’t going anywhere, and businesses must ensure their transaction processes are secure. Sameer Hajarnis, SVP and GM Digital Agreements at OneSpan agrees: “With so many high-value transactions conducted online, getting customers to trust that the digital agreements they’re making are secure is top priority. Businesses need to ensure their security measures are bolstered with tighter verification practices, such as continuous identity verification and biometric authentication, and that these are woven throughout the transaction lifecycle.”
While having the correct guardrails in place is paramount, it’s also critical that we have the correct steps in place, in case of a successful attack. Jake Moore, Global Cybersecurity Advisor at ESET, recommends: “Regular data backups are essential to safeguard against data loss stemming from cyberattacks or hardware failures. Simultaneously, maintaining a vigilant watch over your accounts and access on a frequent basis enhances the detection of compromised passwords and personal information. Finally, it’s equally important to account for all your devices – a practice typically undertaken by larger businesses for ongoing risk management purposes as part of a well-defined cyber-resilience plan.”
It’s imperative that as threats and tactics continue to evolve, we ensure our training keeps pace.
Developers are arguably the most important personnel to ensure are trained to the highest degree when it comes to cyber security. Veracode‘s CTO, John Smith, agrees: “With the right developer training, businesses can make a big difference to the security of their software. In fact, our research found the completion of 10 training courses correlates to a 12% reduction in the number of flaws introduced by developers. It’s never too late to start. Let this Cybersecurity Awareness Month serve as a reminder for developers to brush up on their cyber safety, and businesses to put in place the right training to make these secure practices stick.”
Ian McShane, VP MDR at Arctic Wolf, thinks that we should be heading away from certain types of training: “It’s important to remind ourselves that the true goal of this month is to encourage more people to understand and adopt behaviours that protect themselves. My hope is that we focus less on things like “punishment training” when small errors are made, which is the least impactful, and instead focus on things that the average person will benefit from. At the end of the day, the business benefit must be the byproduct, not the entire goal.”
Likewise, Aaron Rosenmund, Director of Security Curriculum and Research at Pluralsight, argues: “Only 17% of tech workers are completely confident in their cybersecurity skills. This needs to change, and to do so businesses must provide cyber teams with opportunities to practice in low-risk environments, and build confidence.”
2023 represents another year where the importance of cyber vigilance has continued to skyrocket. As we move into 2024, let’s make a concerted effort to bear this in mind and keep up to date with the dangers out there, be fully prepped for any attacks against us, and ensure that we never neglect cyber training.