Cybersecurity Awareness Month does exactly what it says on the tin; it reminds us of the critical significance of the cybersecurity sector for businesses and consumers globally.
As we reflect on another year marked by the ever-evolving nature of threats and the growing challenges before us, it’s crucial to acknowledge the existence of cyber threats and our responsibilities in the battle against hackers.
What’s giving CISO's sleepless nights in 2023?
AI-generated threats are essentially the ‘talk of the cybersecurity town’ this year and the most pressing issue on Paul Inglis, SVP, EMEA at ForgeRock’s mind: ”AI is being increasingly weaponised against businesses and consumers to conduct ultra realistic and highly targeted phishing campaigns. It’s increasingly difficult to spot what’s real from what’s fake. While we’ve seen some politicians and celebrities mimicked to cause reputational damage, many other deepfakes are being circulated to steal money or credentials. And all a hacker needs is an Instagram story or a TikTok video to create an audio and video likeness in a matter of seconds.”
And Paul’s not the only one heralding the warning. Simon Horswell, Fraud Specialist at Onfido, states: ”Fraud continues to rise to new levels, enhanced over the last year by the impact of generative AI. Fraudsters are using it to craft scams such as fake IDs, voice cloning, and deepfakes, and as bad actors adopt the latest technology for offensive means, identity verification companies such as Onfido have put in place many defences and are continuously monitoring and mitigating new fraud vectors.”
But it’s not all about AI. The same old threats are still raring their ugly heads. F5’s Threat Research Evangelist, Sander Vinberg, sees credential stuffing as a particularly pertinent ongoing threat: ”Credential stuffing is widely recognized as a fundamental source of cybersecurity risk. It is, in essence, a numbers game.” However, the only silver lining is that the process remains somewhat inefficient: ”It hinges on the fact that people reuse passwords, but the likelihood that any single publicly compromised password will work on another single web property is still small.”
Credential-based threats are also front and centre for Renske Galema, Area Vice President Northern Europe, CyberArk, who states: ”High-profile cyberattacks using stolen or leaked employee logins to breach and hijack entire IT systems are on the rise, but over half (55%) of UK workers still use insecure practices to keep track of their credentials, causing headaches for security teams. Amid ongoing economic turbulence and a continued cyber skills gap, threat actors are continually innovating to access critical data and assets to cause monetary and reputational damage.”
If there’s one vulnerability that has continued to be a thorn in the side of CISOs everywhere, it’s their own employees. Lacework’s CISO, Lea Kissner shares this sentiment: “Insider threats should always be top of mind for CISOs. I worry about what someone can do if they managed to take over an employee’s access (e.g. malware, account hijack), that they might hurt our customers or our coworkers.”
It’s important to acknowledge that even though new threats are emerging on what seems to be a daily basis, the older and ‘less exciting’ methods are just as crucial to guard against.
Talking about guarding, let’s see what experts have to say about keeping businesses and consumers safe.
Protecting in 2023
As more companies continue to digitally transform, moving towards IoT-connected solutions, such as smart appliances, to evolve their business capabilities, David Collins, Product Management EMEA at Cradlepoint, recognises that: ”The best option for them is a converged network and security solution, optimised for 5G, which includes secure access services edge (SASE) principles. As part of these, the Zero Trust Network Access (ZTNA) principle provides a great foundation where the network plays a major role in protecting IoT devices.”
The continued rise in online transactions shows no signs of slowing down, so businesses must ensure their processes are watertight as we look to end the year. Sameer Hajarnis, SVP and GM Digital Agreements at OneSpan agrees: ”With so many high-value transactions conducted online, getting customers to trust that the digital agreements they’re making are secure is top priority. Businesses need to ensure their security measures are bolstered with tighter verification practices, such as continuous identity verification and biometric authentication, and that these are woven throughout the transaction lifecycle.”
While deploying best-in-class solutions is crucial to keeping businesses safe, being fully prepared for the eventuality that an incident occurs is equally important. Jake Moore, Global Cybersecurity Advisor at ESET, recommends: ”Regular data backups are essential to safeguard against data loss stemming from cyberattacks or hardware failures. Simultaneously, maintaining a vigilant watch over your accounts and access on a frequent basis enhances the detection of compromised passwords and personal information. Finally, it’s equally important to account for all your devices – a practice typically undertaken by larger businesses for ongoing risk management purposes as part of a well-defined cyber-resilience plan.”
New training to meet new threats
With the threat landscape ever-evolving, businesses have to ensure they adapt to meet new cybersecurity challenges.
When it comes to training, it all begins with those building our apps, the developers. Veracode’s CTO, John Smith, agrees: ”With the right developer training, businesses can make a big difference to the security of their software. In fact, our research found the completion of 10 training courses correlates to a 12% reduction in the number of flaws introduced by developers. It’s never too late to start. Let this Cybersecurity Awareness Month serve as a reminder for developers to brush up on their cyber safety, and businesses to put in place the right training to make these secure practices stick.”
Ian McShane, VP of MDR at Arctic Wolf, believes there is specific training we should move away from: ”It’s important to remind ourselves that the true goal of this month is to encourage more people to understand and adopt behaviours that protect themselves. My hope is that we focus less on things like “punishment training” when small errors are made, which is the least impactful, and instead focus on things that the average person will benefit from. At the end of the day, the business benefit must be the byproduct, not the entire goal.”
Similarly, Aaron Rosenmund, Director of Security Curriculum and Research at Pluralsight, argues: ”Only 17% of tech workers are completely confident in their cybersecurity skills. This needs to change, and to do so businesses must provide cyber teams with opportunities to practice in low-risk environments, and build confidence.”
As we approach the conclusion of another year of confronting nation-state actors, individual hackers, and employee errors, Cybersecurity Awareness Month serves as a timely prompt to remain vigilant. Security teams must ensure that their organisations are well-informed about the risks they encounter, are equipped to protect themselves and respond to potential cyberattacks, and deliver top-notch training to their employees.
