October 2022 has seen a huge amount of activity around Cybersecurity Awareness Month across the globe. In Europe, the EU’s cybersecurity agency (ENISA) celebrated 10 years of its campaign and highlighted its new theme #Choose2BeSafeOnline.
“Initiatives like European Cybersecurity Month are important because they provide businesses with an opportunity to take stock and reflect on their existing cybersecurity infrastructure,” Jessica Ferguson, CISO, DocuSign reflected.
With this in mind, and Cybersecurity Awareness Month soon ending, Infosecurity Magazine spoke to industry members about some of the key cybersecurity challenges to be mindful of today.
1. Evolving Threat Landscape
Threat actors are rapidly evolving their tactics, techniques and procedures (TTPs) and at the same time organizations are embarking on digital transformation projects and expanding their network perimeters with a dispersed workforce. The threat landscape today is more complex than ever before.
“Cyber-criminals are getting organized and providing Ransomware as a Service (RaaS) – subscription-based pyramid schemes that supply affiliates with ready-made ransomware tools. This development has significantly reduced technical barriers to entry and boosted the earning potential and impact for lower-level threat actors, encouraging even more malicious activity,” noted Mandeep Thandi, director of cyber and privacy, Gemserv.
Threat intelligence, building cyber defense strategies and ensuring organizations have the tools and procedures in place to react to what many now say are inevitable cyber incidents, is hugely important in today’s threat landscape.
2. Phishing
Phishing continues to be a top attack vector for threat actors and Cybersecurity Awareness Month sought to bring the issue to the forefront. Infosecurity’s deputy editor James Coker recently reported on this vector, noting that while there are plenty of tools available to prevent phishing attempts the issue is at core a human one with a need for a focus on awareness training.
One of the focuses for this year’s European Cybersecurity Month is phishing, with a theme of ‘Think Before U Click!’, highlighting the need for users to be equipped with the knowledge to avoid falling into the trap of attackers.
As well as thinking before clicking, reporting processes should be simple and organizations’ staff must know who to report a phishing attempt to. Finally, to improve employees’ awareness and understanding of phishing, security teams should publicize attempts discovered within the organization following employee reports.
3. IoT Devices
The internet of things (IoT) is already here, at home and in business, with industries like manufacturing, logistics and critical infrastructure heavily leveraging IoT devices.
Awareness must be heightened around the risks that IoT devices pose, as it only takes one device being hacked to give a threat actor entry to a business’ entire network. Notably there are few standards requiring cybersecurity for IoT devices. In addition, David Maidment, senior director secure device ecosystem, Arm, noted that there is also a lack of in-house expertise holding back device manufacturers from implementing best practice security.
Maidment added, “Embracing easy-to-use frameworks, evaluation schemes and certifications, and closing security gaps with threat modeling are crucial ingredients for being cybersmart with IoT security. Ensuring that every connected device is built upon common security principles will enable the industry to work together cohesively, catalyzing the move towards a common goal of scaled deployments and a connected world.”
Meanwhile, Vivek Daga, managing director UK&I, NTT Ltd, noted, “In order to get ahead of any potential security risks, organizations must take their time when selecting these devices and understand the configuration before connecting it to the wider network.”
4. Security and Developers
The high-profile Log4J vulnerability that was discovered in late 2021 brought software security to the mainstream and it has not gone away yet. In addition, there is increase scrutiny over securing the software supply chain.
Something businesses ought to consider is how to integrate security into their development processes from the get-go and for the two to no longer be siloed.
John Smith, EMEA CTO at Veracode, highlighted research from his company which found that developers who get coaching from security experts fix 88% more flaws. This helps them identify vulnerabilities in real-time, fix issues without delays to development and adopt secure coding practices.
“This Cyber Security Awareness Month, we challenge businesses to not only consider the day-to-day practices of their employees but also what they are doing at a ground level to ensure developers have the required skills to counter the ever-growing threat of hackers,” he said.
5. Cloud Security
Cloud adoption continues to accelerate, and many organizations have now begun their journeys to move to the cloud. As companies adapt to the cloud, so to do adversaries who are actively seeking to exploit it.
“Attackers go after low-hanging fruit, using a lack of outbound restrictions and workload protection on the cloud to exfiltrate data, or leveraging common cloud services as a way to obfuscate malicious activity,” said Zeki Turedi, CTO EMEA, CrowdStrike.
Turedi recommends organizations use threat hunting capabilities to identify threats in their cloud environments. In addition, he said that cloud security should provide continuous posture management and breach protection.
“Cloud adoption doesn't need to be a trade-off on security,” noted Kai Waehner, field CTO at Confluent. “Modern, scalable cyber intelligence platforms can enable businesses to accurately detect and respond to security threats without slowing down performance.”
6. Protecting Your Identity
Identity theft is a concern for businesses and consumers alike, and safe, secure, digital processes are necessary in order to prevent threat actors from acquiring this personal information. Many businesses face a blind spot when it comes to secure electronic verification solutions.
Ferguson at DocuSign said it is important that businesses don't forget to safeguard existing processes.
“To ensure organizations don't leave themselves vulnerable, they should digitize as many of their processes as possible, switch to electronic signatures and select a platform that's trusted by their partner ecosystem to manage this process. European Cybersecurity Month is a great moment in time to start or accelerate the transition to safer and more secure digital processes,” she said.
Brett Beranek, VP and general manager, security and biometrics at Nuance highlighted the necessity for fraud prevention strategies and suggested the simple password is no longer sufficient to protect identity data. He suggested that passwords ought to make way for modern technologies – such as biometrics – to be more widely deployed in order to robustly safeguard customers.
NB: this is by no means an extensive list but highlights some of the issues that many are considering during Cybersecurity Awareness Month.
To hear more about Cybersecurity Awareness Month tune into the October 2022 IntoSecurity podcast, where two industry specialists speak about their view of and efforts during Cybersecurity Awareness Month. Tune in to hear from Marianna Kalenti from the Awareness Raising and Education Team at the EU’s cybersecurity agency (ENISA), and Jessica Barker, co-founder of Cygenta.