October marks National Cyber Security Awareness Month, a time that acts as a valuable reminder for organisations to evaluate their cybersecurity. In this year alone, 55 per cent of UK businesses have been targeted by cybercrime, which is up by 15 per cent on last year. There has never been a better time to address cybersecurity and bring awareness to the forefront of people’s minds.
Taking this opportunity to highlight key concerns, eight IT experts have weighed in to explain the risks of cybercrime and how best to improve cybersecurity.
In this day and age, a cyberattack is, unfortunately, more of an inevitability than just a mere threat. So, businesses need to accept the fact that mitigation technology is a necessity.
Steve Nice, Chief Security Technologist at Node4, continued, “This Cyber Security Month, it’s important for organisations to recognise how to strengthen their security to prevent potentially devastating attacks from harming them. It’s the responsibility of the IT team to ensure that the business’ security is up to speed, and so a Vulnerability Testing programme can help the team understand where the weaknesses are and support these areas. This means that valuable time – and money – can be saved from being spent on unnecessary security infrastructures before knowing where the holes in the defence really lie.”
“However, it’s not just the technology that needs to be supported. Regardless of how many layers of protection IT teams implement, the weakest link is the people involved. Managing this is essential in any cybersecurity strategy, so it’s vital to ensure that all employees are fully up-to-date with the latest security protocols and processes in the company. This is a key part of cybersecurity, and even more so because the human element is the hardest to control and measure effectively.”
As Avi Raichel, CIO at Zerto agreed, “Cyberthreats such as ransomware can be a huge threat to businesses, and even just a single employee clicking a malicious link in their emails will mean a ransom must be paid for all business data encrypted. Cybercriminals often exploit vulnerabilities in employee emails, so it is crucial to have the right cyberdefences in place to avoid a disaster where customer data, and a lot of money, could be at risk.”
“Having an extensive tiered security model and instilling a strong cybersecurity-aware culture across all employees will help minimise risk. But, the attack itself is only half of the problem because, without sufficient recovery tools, the resulting outage will cause loss of data and money, as well as reputational harm.
Paul Rose, CISO at Six Degrees, suggested that it is time for a paradigm shift in the way we view cybersecurity.
He continued, “The threats are known, documented and evidenced. But the fact remains that even mentioning the word ‘cybersecurity’ in the boardroom can elicit eye rolls, shuffling in seats and muttered excuses to leave.
This year’s National Cybersecurity Awareness Month is all about each and every one of us doing our part to make sure that our online lives are kept safe and secure. Effective cybersecurity requires continual top-down engagement throughout the organisation, and that starts in the boardroom. Cybersecurity needs to be put on the executive agenda; it should be placed in the context of the continuing success of the organisation in terms of the impact of any breach.”
Sascha Giese, Head Geek at SolarWinds supports this point, and stated, “With every passing year, the public sector is becoming increasingly aware of the onslaught of cyberattacks it faces, with an increase in the number of organisations reporting over 1,000 cyberattacks in 2018 compared to 2017, as revealed this year through a SolarWinds FOI request. Public sector IT professionals are working every day to ensure the data their department holds is kept secure. While tools and technology are of course the most solid defence against security threats, public sector IT pros should also consider the following three steps to achieving a stronger security posture: leadership setting the right example; regular and effective training for all teams; and ensuring security policies are revised frequently to keep up with the latest threats.
“U.K. government IT professionals are trusted with data by citizens, and so to give them confidence this information is being kept safe, organisations in this sector must adhere to strict security policies. And, to keep on top of security, having initiatives supported by everyone – not just the IT team – are the crucial part of the puzzle.”
Hubert da Costa, Senior Vice President at Cybera identifies the importance of embedded security in modern businesses. “The adoption of mobility, big data, social media, cloud and the Internet of Things is extending traditional enterprise perimeters, making them complex and difficult to secure,” he said.
“Far too often, application security is an afterthought if it is addressed at all. The solution is to embed security directly into the fabric of the network, striking a balance between user experience, security, and affordability. This approach combines defence-in-depth, micro-segmentation and continuous network monitoring.”
John Ford, CISO at ConnectWise added to this discussion, stating, “The simplest thing SMBs can do to protect themselves from cyberthreats is to enable multifactor authentication. Essentially, that means having more than just a password. Most people use it all the time and never even think about it. For instance, when logging into your bank account from something other than your primary computer, and the bank sends a text message to your phone with a code. You enter the code and you’re in. That’s all multifactor authentication is. In cybersecurity, we call it “something you have and something you know.”
While there are all kinds of complex products and technologies companies use to protect themselves – many of them excellent – the fact is, most ransomware attacks can be prevented by this easy-to-deploy process. Yet, multifactor authentication has only recently become widely adopted, despite having been around close to 20 years.”
Additionally, Stephen Gailey, Head of Solutions Architecture at Exabeam, commented, “Almost all of the huge breaches we read about in the news involve attackers leveraging stolen user credentials to gain access to sensitive corporate data. This presents a significant problem for security teams. After all, an attacker with valid credentials looks just like a regular user. Identifying changes in the behaviour of these credentials is the key to successfully uncovering an attack. But in an age of alert overload, security teams are often overwhelmed and can struggle to make sense of the data in front of them.
Applying User and Entity Behaviour Analytics (UEBA) to the data already collected within most organisations can help security teams connect the dots and provide a useful profile of network user activity. By connecting the dots and creating a map of a user’s activities, even when the identity components are not explicitly linked, security teams can create baselines of normal behaviour for every user on the network. This makes it easier to identify when a user’s activity requires further investigation. It may not stop you being breached, but it will tell you about it before the damage is done.”
Filling the breach
Matthew Buskell, Area Vice President at Skillsoft lent his insight regarding the skills gap within cybersecurity.
“Cybersecurity is one of the most diverse and thrilling fields, open to anyone with an inquisitive, analytical or determined mind. Perhaps paradoxically, it is also facing a significant talent shortage. Research by (ISC)² estimates that almost three million cybersecurity positions remain unfilled. With organisations crying out for new cybersecurity professionals, how can you make the leap?”
“A career in cybersecurity is no longer as elusive as it once was. The path to cybersecurity success is about learning and – crucially – demonstrating drive and passion.
“For anyone with an IT background, there are plenty of training options to support a transition into a cybersecurity role. However, for those currently in non-technical positions, mid-ladder career changes are becoming easier than ever. Indeed, much of the training needed is available online. If you’re thinking about a move into the industry, Cybersecurity Awareness Month might be the perfect time to kick-start your career change.”
With the constantly evolving threat of cybercrime, Cyber Security Awareness Month provides the opportunity for organisations to take stock of the security systems they have in place, the training provided and the importance placed on countering these ever-changing threats.