Avoid being spooked this Cyber Security Awareness Month
According to the 2019 Verizon Data Breach Investigations Report, 69% of attacks last year were perpetrated by outsiders. 43% of breaches involved small businesses victims and 52% of breaches involved hacking.
These are scary statistics. Organisations must be reminded that despite the type or amount of data, there is someone out there who is trying to steal it.
In light of this, a handful of technology and cyber security experts have spoken to TEISS. They delve into the different issues within protecting their business. They also offer advice to help combat the cyber security threats that are faced today.
The theme of this National Cybersecurity Awareness Month, is to remind individuals why it is important to ‘Own IT. Secure IT. Protect IT.’ This is in both their personal lives and at work. Harold Sasaki, Senior Director, IT and TechOps at WhiteHat Security, gave top tips on how individuals can prioritise safety.
He advised, “only purchase online from well-known stores. Stores like Amazon, eBay, Walmart and Nordstrom spend a lot of money and resources to make sure your data is safe.”
He continued “Just because a store uses encryption does not mean that once they have your data that it is kept secure. Avoid smaller unknown sites that may or may not have the proper level of security for your data.
Adding “Larger established companies also usually have a well-defined process for disputing purchases that may be fraud. Keep an eye on your credit card statements for unauthorised charges, even at stores you normally shop at.
“These are key considerations we all need to make this month – and every day – to keep our data, and in turn, our employers’ data, safe.”
According to John Ford, CISO at ConnectWise, the simplest thing SMBs can do to protect themselves from cyber-threats is to enable multifactor authentication. He explained, “essentially, that means having more than just a password.
Most people use it all the time and never even think about it. For instance, when logging into your bank account from something other than your primary computer, and the bank sends a text message to your phone with a code.
You enter the code and you’re in. That’s all multifactor authentication is. In cyber security, we call it “something you have and something you know.’
“While there are all kinds of complex products and technologies companies use to protect themselves – many of them excellent – the fact is, most ransomware attacks can be prevented by this easy-to-deploy process.
Yet, multifactor authentication has only recently become widely adopted, despite having been around close to 20 years.”
Tim Bandos, Vice President of Cyber Security at Digital Guardian believes that long gone are the days when all but the biggest data breaches would make the headlines of non-IT press.
“That’s because we’ve become increasingly desensitised to security stories,” he justified. “Today, it takes something huge to turn heads.
Whether it’s 300,000 files and directories stolen by a former Tesla employee or the 600 million Facebook passwords ‘hidden’ in plain text, only these most egregious lapses in data security seem to set alarm bells ringing.
“Data protection solutions can help prevent data loss, but maintaining a successful security program is largely dependent on employee awareness and their ability to comply.
By teaching employees how to make decisions about the use and protection of data, they’re in a better position to make better judgments on their own around data in the future.”
Paul Rose, CISO at Six Degrees, suggested it’s time for a paradigm shift in the way organisations view cyber security.
“The organisations I speak to are all too aware of the risks they face, whether from rogue internal operators, ever more sophisticated email attacks, ransomware, or any number of other threat vectors that could – if exploited – result in serious financial, operational and reputational damage.
“Effective cybersecurity requires continual top-down engagement throughout the organisation, and that starts in the boardroom.
Cyber security needs to be put on the executive agenda; it should be placed in the context of the continuing success of the organisation in terms of the impact of any breach”.
Be aware of different attack vectors
Securing Internet of Things (IoT) devices and data for business use cases is extremely current. It is one of the hottest topics during Cyber Security Awareness Month this year.
At its core, IoT represents a huge expansion of the network edge. As each deployment potentially covers wired broadband, public and private LTE, WiFi, and LoRA WAN connectivity.
Todd Kelly, Chief Security Officer at Cradlepoint, stated, “in the not too distant future, we’ll see IoT deployments take advantage of 5G connectivity as well.
The good thing is the industry and governments have started efforts to better define the inherent security controls and best practices that will help, over time, improve the overall security of IoT deployments. But that will take some time to gain mass adoption in the market.“
IoT devices and routers are a major source of attacks for cybercriminals and nation state attackers. According to Symantec, in 2018, 75% of botnets were router focused.
IoT security can be daunting for many businesses. There are a number of important areas that everyone who has deployed, or is considering deploying, IoT applications should consider.
“With the expanding diversity of business IoT use cases along with their associated IoT devices, architectures, vendors, management platforms and disparate security capabilities, customers should look to invest in enterprise IoT platforms to simplify the number of tools, devices and architectures needed to meet the business benefits for IoT use cases in the enterprise while reducing cyber risk.
Using existing network-based security solutions may not be sufficient. Instead, organisations should look at using expert cloud-based management platforms and software-defined perimeter technologies, which effectively address the security risks inherent in IoT deployments and provide network-wide policies and visibility.”
Steve Wainwright, MD EMEA at Skillsoft, advised how social engineering attacks are a go-to method for hackers. He described, “they rely on unwitting, unsuspecting and, at times, careless employees”.
A recent PositiveTechnologies study found that more than one in ten employees fall for this type of attack. Social engineering attacks work by using psychological manipulation.
Hackers use information gained on social media or the dark web to build a profile of a person. Then, they pose as someone they might know via email. They might then encourage their victim to click on a link or download a file that contains malware.
“The key to defending against this type of threat is education. By training employees to question and look out for suspicious emails – for example, checking if the sender email address looks odd and scanning the email for poor grammar and spelling – organisations can reduce the likelihood of successful attacks.
Giving employees the skills and knowledge they need to identify potential attacks is the best way of mitigating the insider threat risk.”
Whilst this awareness month is only during October, businesses should be reminded that cybersecurity is a year-round issue.
There should be stringent preparation and good advice throughout the year. This will mean businesses have the best chance of not falling foul to hackers’ tricks.