Cybersecurity Awareness Month Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :

Cybersecurity Awareness Month

Cybersecurity Awareness Month: We asked the experts about this year’s priorities

960 640 Stuart O'Brien
What are the key considerations, threats and opportunities for IT security professionals in 2023? To mark Cybersecurity Awareness Month 20233 we polled some leading experts for their thoughts…
Milind Mohile, Vice President, Product Management, Citrix
“Hybrid work is still on the rise in 2023, a trend which is only increasing complexity for security teams, with geographically separate workforces, using a variety of managed and unmanaged devices, over the internet, accessing a combination of enterprise-hosted and SaaS apps. Traditional security measures are no longer enough to safeguard a business’s sensitive applications and data, therefore businesses must truly understand how to implement a comprehensive Zero Trust Application Access (ZTAA) framework.
ZTAA goes beyond Zero Trust Network Access (ZTNA) to encompass not just networking, but also application usage and activities even after access has been granted. Unlike traditional security models that rely on perimeter defences with “point-in-time” security controls, and policy engines that follow binary “grant/deny” rules, a ZTAA model combines the principles of “never trust, always verify” with granular access and action controls that can be dialled up and down based on circumstances, telemetry or behaviours. This constant vigilance and fine-grained control is where ZTAA truly shines.
ZTAA will evolve rapidly as solutions incorporate AI to aid in continuous monitoring user behaviours and determining the right responses to suspicious activity. As such, ZTAA enables unrivalled protection against unauthorised access and security breaches, as well as unintentional risky behaviour, making it essential for businesses with hybrid workforces, where users expect to be able to log in from anywhere in the world.”
Matt Tuson, General Manager, EMEA, LogicMonitor
“Over the last two decades, the field of cybersecurity defence has flourished into an advanced, diverse field. However, I think that we will soon see a real evolutionary step take place, which takes us beyond just manning the barricades against digital foes. Businesses are learning that, regardless of whether downtime comes from adversarial attacks or internal technological failures, the bottom-line impact is much the same, and what really matters is getting back to a state of health as quickly and smoothly as possible.
A digital immune system (DIS) approach, built around a mindset which is more agnostic as to the source of problems and more unified in its focus on recovery, will come into focus as a better way of organising teams and technology to create valuable outcomes. The good news for those who have spent years building cybersecurity expertise is that this change will put them closer to the heart of business value. Everything we have learned about resilient systems, designed redundancy, and human psychology will become relevant to business thinking more broadly. Together with more unified data practices and AI tools to action that data, the digital immune system is going to shift the goalposts from the well-defended enterprise to the self-healing enterprise.”
Duncan Bradley, Duncan Bradley, Director of Customer Engagement UKI Cyber Resiliency Practice, Kyndryl 
“The last two decades have witnessed consistent evolution in both how we do cybersecurity and the kinds of risk that cybersecurity seeks to mitigate. The most important lesson emerging in this space right now, though, is really a perspective shift around what cybersecurity is for.
For most of IT history we have spoken of defence, prevention, and avoidance, building a suite of tools and tactics to stop bad outcomes. We have been successful and made it very difficult to break into organisations, so bad actors are now compromising organisations’ user accounts with increasingly sophisticated targeted social engineering attacks, and the growing use of AI techniques, only serves to increase the challenge of detection. Going forward, that conversation is going to be re-oriented around minimising damage and recovering quickly and seamlessly from it. Whether through criminal activity, human error, or natural disaster, breaches and outages happen. The most successful businesses in such moments will be those that have invested in resilience strategies which are agnostic about the source of damage and laser-focused on returning to operational status. That demands a holistic approach where recovering data and reinstating services is baked in at every level, just as something like authorising access is today.
The cybersecurity community has developed very mature methodologies for integrating the human and technological aspects of protecting against attack. In twenty years’ time, resilience will be just as embedded in what we do”
“Cybersecurity Awareness Month serves as yet another reminder of the importance of protecting data in our increasingly digitalised world. AI will be on the agenda, as the recent explosion of generalist technologies and data-scraping tools make data more accessible than ever.
For many businesses, data privacy and security represent a minefield. Whether it’s mitigating the risk of employees exposing sensitive data to GPT-based tools or providing rapid responses to personal information requests, the data privacy challenges for business leaders today are wide-ranging. However, the reality is that compliance isn’t optional, and many are finding themselves on the wrong side of the data privacy coin.
And when it comes to compliance, it’s always going to be more difficult for smaller businesses and start-ups. They cannot afford to take the “get fined, pay up” approach of industry giants. This is why we need to be aware of the benefits of AI as much as its potential risks. AI-driven automation can play a key role in helping SMEs or overburdened legal departments understand, centralise, and analyse their enterprise data, ensuring they keep up with what is an increasingly complex and volatile regulatory landscape. The future of data security depends on our collective ability to adapt – and you can be sure that AI will be at the forefront of enabling businesses to achieve data-driven insights into compliance data, automate compliance tasks and mitigate risk.”
Karl Schorn, Vice President of Professional Services at Systal
“Cybercriminals are using AI and machine learning to develop more effective attacks, such as automated phishing campaigns and AI-driven malware. As technology evolves, so do the attack vectors. Emerging technologies like quantum computing and 5G networks bring new security concerns. This combined with a shortage of skilled personnel and the need to maintain legacy systems and infrastructure is stretching resources as more data and services are moving to the cloud – further pressing the need to protect a wider attack surface, with fewer resources, and skills against determined and developing adversaries.
Addressing these challenges requires a multi-faceted approach that includes technological solutions, strong policies and regulations, employee education, and collaboration among governments, industries, and security experts. Cybersecurity is an ongoing process, and organizations must remain adaptive and proactive in the face of evolving threats.”
John Linford, Forum Director, The Open Group Security & Open Trusted Technology (OTTF)
“It now seems fair to describe the continuing rise of cyber risk as inexorable. Not a week goes by without an analyst or research report announcing a new statistic about the increasing rate of attacks, the diversification of methods, or the growing financial losses being caused.
This means that it’s no longer feasible for organizations to consider any elements of the service topology as ‘trusted’. Rather than assuming any device on a network must have passed a security checkpoint and therefore can be trusted, organizations should be looking to models which secure the data and assets those networks are there to carry, requiring continuous verification of trustworthiness in order to ensure computer security. And Zero Trust ensures computer security for users, data/information, applications, APIs, devices, networks, cloud, etc., wherever they are – instead of forcing a “secure” network within a company.
By assuming every action is potentially malicious and performing security checks on an ongoing, case-by-case basis, Zero Trust reduces successful attacks and protects organizations in the event of a breach as other data and assets remain secure, rather than being accessible by an attacker. In order to successfully implement and ensure proactive mitigation of cyber threats is commonplace, the industry must establish standards and best practices for Zero Trust, which will also be a critical component of cybersecurity awareness.”
Charles Southwood, Regional Vice President and General Manager in UK, Denodo
“The digital landscape is in a constant state of evolution, and along with it, the sophistication of cyber threats continues to grow. These threats take on various forms, ranging from phishing attacks and malware infections to data breaches that can compromise sensitive information. For businesses, safeguarding data and systems must be a number one priority.
While data holds the promise of transforming operations and propelling businesses ahead of the competition, when not adequately protected, it can become a double-edged sword, especially in our current AI-powered landscape. Attacks that utilise this technology can automate and enhance the sophistication of threats, making it more vital than ever to stay ahead of the curve.
Implementing strong authentication methods, encrypting sensitive data, and keeping software and systems up to date are fundamental steps in safeguarding your digital assets. Additionally, having a well-defined incident response plan and regularly assessing the cybersecurity practises of third-party vendors and partners can strengthen the overall security posture.
Cybersecurity isn’t a one-time effort; it’s an ongoing commitment. By investing in robust cybersecurity measures, you not only protect your business but also enhance the trust of your clients and partners. Stay vigilant, stay secure.”
Image by joffi from Pixabay

Experts reflect on how you can be cyber smart for Cybersecurity Awareness Month 2021

960 640 Stuart O'Brien

The overarching theme of this year’s Cybersecurity Awareness Month is “Do your part. #BeCyberSmart.” The pandemic has made the line between our online and offline lives indistinguishable. Everything we do is fuelled by technology. Our homes, our economy, the entire country. Everything is impacted by, but also at risk of, the internet.

By now, everyone and every business has a basic understanding of the threats the online world presents. Most if not all organisations will also have some level of cybersecurity in place. But most of the time it’s not good enough. Stronger security practices and more education about the risks we are all vulnerable to is absolutely vital if we are to be resilient enough to withstand a technology-driven future.

So, we spoke to some of the industry’s experts to learn how businesses and individuals can play their part in keeping our cyberspace secure.

Knowing and how and where to spend your budget

There are three key areas that the experts we chatted with believe need to be revaluated. The first comes as no surprise: technology. That’s because “opportunistic cybercriminals continue to take advantage of the evolving digital environments that individuals, governments, and organisations have embraced,” according to Chris Huggett, SVP EMEA, Sungard Availability Services.

Raymond Pompon, Director, F5 Labs, added that “web application exploits are the biggest cybersecurity risk facing organisations today. In fact, recent research has shown 56% of the biggest cybersecurity incidents over the past five years were related to web application security issues, constituting 42% of all financial losses recorded for these extreme events. The pandemic has also thrown significant challenges at our defences and now, as employees shift to hybrid working models, another layer of complexity is added to the mix.”

In light of this landscape, Huggett believes “[Cybersecurity Awareness Month] should act as a timely reminder to organisations, both big and small, to review their security processes. In their hunt for ‘big game’ enterprises, threat actors are holding third-party vendors hostage to reach their ultimate targets. Organisations need a holistic view of their entire infrastructure to make sure that every touch point is secure.”

This can, of course, be challenging at a time when businesses are doing their best to make a comeback from the pandemic, but Rob Treacey, Head of Security, Professional Services, EMEA at Rackspace Technology, says “organisations should be looking to spend between 15-20% of their budget on cybersecurity.” That’s compared to the “7-15% of their IT budgets [that is currently being spent] on cyber security.” Treacey advises that “the best way to decide what you spend is to figure out what percentage of your budget is proportionate to the information assets you are protecting. If a breach within your organisation would result in irreparable reputational damage, significant customer loss or regulatory non-compliance, then you probably require a healthy security budget to prevent any of those consequences from becoming a reality.”

One of the biggest priorities to review when deciding where to spend cybersecurity budget, according to David Higgins, EMEA Technical Director, CyberArk, are “innovations like machine learning, [which] are making organisations more cyber smart because they eliminate excess login requests.” He warned that “cyber criminals know [our] dirty little password secrets and target weak passwords as an easy way to steal information and even get rich quickly, often via common methods like phishing and impersonation. That’s why 80% of hacking-related breaches can be linked to stolen or brute-forced credentials.”

Gareth Jehu, CTO, Com Laude believes that cyber security practices around domain names are another thing that can often be overlooked. He advises, “one of the first places to start is implementing an up-to-date TLS encryption protocol. This protects the confidentiality and integrity of data in transit and authenticates the parties that are exchanging information. Adopting a robust domain lock solution such as Registry or Super Lock can also provide protection by implementing a domain specific approval handshake for any modification to domain name settings such as name servers. An organisation should also manage its domain assets carefully, ensuring it has appropriate and active SSL certificate coverage. Mismanagement of these certificates can lead to erroneous expiration, opening the door to disruption of critical services”

Addressing one of the biggest problems in cyber: human error

The second element to reviewing a business’ cyber practises comes down to its people. Mark Belgrove, Head of Cyber Consultancy, Exponential-e, told us that “most businesses, despite having access to advanced protections and the best threat intelligence on offer, remain vulnerable to one key factor: human error. It is a constant vulnerability that can never be fully eradicated. The remote working whirlwind brought on by the pandemic, and the use of corporate devices on less secure home networks, often for personal use, means human error has left organisations vulnerable to even more threats in the last 18 months too.”

The problem stems down to the fact that, “while most organisations want to increase security awareness among their employees, the stark reality is that many don’t know where to begin,” explained Erez Yalon, Head of Security Research at Checkmarx. He added that “fundamentally, implementing a shared cybersecurity responsibility boils down to two tactics; increasing awareness, and providing training. Without awareness, change can’t happen. It’s the first step in helping notice a problem exists, hasn’t been addressed, and that action is needed. Staff must be made aware of their security responsibilities and there needs to be concrete alignment across departments to create a comprehensive and cohesive security program. To further this, ongoing training programs must be implemented as a priority. Often, such training sessions can be tedious, and so organisations should conduct bitesize, interactive lessons, not extensive monotonous ones.”

Jonathan Smee, Information Security Consultant & Technical coach at Grayce, echoes this message, highlighting that “there is a widening skills gap in IT security, with research from Department for Digital, Culture, Media & Sport (DCMS) stating that two-thirds (64%) of cyber firms have faced problems with technical cyber security skills gaps, either among existing staff or among job applicants.” Smee believes “organisations should therefore look to provide continuous learning opportunities and adequate training to keep their employees up to date with the latest cyber threat trends.”

Getting the foundations of your digital business right

The final element we must consider, according to Rick McElroy, principal cybersecurity strategist, VMware and Bill Mason, Senior Project Manager, Distributed, is the foundation on which most of our businesses are now built – software – and the people that build it.

Mason explains that “with the mass transition to remote and hybrid working comes a growing reliance on software to keep us connected and productive, no matter where we’re working from. But as organisations continue to integrate new tools to future proof themselves, they need to consider the security implications. Businesses should be thinking about track and trace – but not as we know it. What this means in the context of distributed workforces is tracking any potential vulnerabilities that are incorporated into third party and open-source libraries when developing software, as well as scanning code and fixing all security issues that are identified to a requisite level.” He adds, “cybersecurity is complex, and one of the best pieces of advice I have received is to ensure that your developers are following appropriate standards. They exist for a reason. They make developers’ lives easier because they give them a framework for reference.”

In McElroy’s opinion, “a lack of common goals between security, IT and developers has long been an issue, one being exacerbated by the potential complexity of today’s multi-cloud, modern app world. Teams are working in silos, and this is having a detrimental impact on a business’ security and its ability to meet objectives.” He believes, one of the biggest problems is that “security is being considered a barrier to developers and IT. We need to move from this towards a scenario where security as a technology is thought of differently. It is there to support the brand, build trust, and optimise app delivery for developers. It’s there to eliminate the false choice between innovation vs. control. This culture shift will enable stronger collaboration between security, developer and IT teams.”

Are you cyber smart?

Cybersecurity is a constantly evolving entity. Hackers are always on the move and it’s common knowledge that they’ll always be on the front foot in one way or another – the best we can do is try and keep up. Taking on board the insights from these industry experts might just ensure you can.