The open comments period on cybersecurity issues has formally ended. Your action is now required.
It is rare that historical moments are realized until well past the period from which it happened, but in this case, we are witnessing the age of full adoption and execution to protect the Internet of Things (IoT) in real time. This era will be remembered as the maturation of the connected.
Individuals, businesses, governments or anything that operates online (i.e. everything) must succumb and embrace the reality that data holds more value than we’ve ever realized possible, and we must do our part to mitigate the risk of losing control to someone who does understand that truth.
If you’re wondering when, let me be very clear: The time is now.
Do Your Part. #BeCyberSmart
Now in its 18th year, Cybersecurity Awareness Month continues to raise awareness about the importance of cybersecurity, ensuring that all Americans have the resources they need to be safer and more secure online (CISA.gov).
This year’s theme “Do Your Part. #BeCyberSmart.” is sponsored by the Cybersecurity & Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA). It encourages individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.
A new premium for data
Whether as an individual or a company, the monetary value of our data continues to rise as more systems become reliant on interconnectivity. We’ve all seen the headlines about companies paying tens of millions in ransomware attacks from hackers that hold customer accounts hostage. The value of personal data varies, but
DID YOU KNOW?
BOTS
Bots are a type of program used for automating tasks on the internet. Malicious bots can gather passwords, log keystrokes, obtain financial information, hijack social media accounts, use your email to send spam or open back doors on the infected device.
PHYSICAL CYBER ATTACKS
Physical cyber attacks use hardware, external storage devices or other physical attack vectors to infect, damage or otherwise compromise digital systems. This can include USB storage devices, CD/DVD or Internet of Things (IoT). They can do anything from installing ransomware, sending copies of or modifying information systems to dismantling networks.
SOCIAL ENGINEERING
Cybercriminals can take advantage of you by using information commonly available through social media platforms, location sharing or even in-person conversations.
OTHER AVENUES OF ATTACK
Any device connected to your network such as smart devices, mobile phone, thermostat, vehicles, gaming consoles, printers, medical equipment or industrial systems.
there's no question companies are making billions. It wasn’t long ago that telecom companies would allow you to opt out of collecting your data for $90 per year. This cost was in addition to the service fee an individual paid for cable, internet or phone service.
Hacking into a personal account or any business is becoming more profitable everyday, and getting into one account may result in getting into more accounts. In today's current environment, all individual’s data carry intrinsic value to a hacker.
With stakes like this, why wait
I learned very early in my career the importance of security awareness training. Many years later, I still believe it is our most important, cost-effective method to securing our organizations, our families, our nation and our customers. Sadly, it appears we’re still learning lessons the hard way.
In most instances, the quickest way to get budget allocation for training is to experience a data breach or hack firsthand. I dare say this approach isn’t optimum, especially when there are far less painful solutions available. Even if executive committees and boards aren’t requesting it, you should still present data along with statistics on the impact of a hack. Make sure the scenarios and consequences are realistic, because not everything is a “Mission Impossible” type of event. The goal should be to prove that waiting is no longer cost effective.
This is especially true when you consider a study by IBM affirming that human error is the main cause of 95% of cybersecurity breaches. In other words, if human error was somehow eliminated entirely, 19 out of 20 cyber breaches may not have taken place at all!
Changing the culture
To be successful in protecting yourself, as well as any organization or business, you must accept that actual change happens on a cultural level — the same way diets don’t work by eating a salad when you follow it up with a large pizza and a quart of soda. Don’t follow the very established path of minimal effort that is accompanied with little impact — I’ve seen groups sign-up for a cybersecurity newsletter and forward it out to the masses as their entire cybersecurity plan.
Make cybersecurity a priority and change the culture. Two excuses I hear more than any others are “I’m not technical” or “I don’t understand security.” Think of it as learning to drive a car. We don’t have to be as knowledgeable as Richard Petty to drive a car. But we do all have a responsibility to learn how the brakes work, how it performs on different surfaces, what a turn signal is used for and what the different road signs mean to ably drive sensibly.
Technology has advanced. Sometimes it is hard to keep up, but it is unquestionably part of our ethos — our very existence — and there is no turning back.
As a part of our awareness training, I periodically send out a very well-crafted phishing scam highlighting the red flags. Even though we’ve invested in security tools to prevent and protect our organization, it is still a good idea to remind or send a refresher. Low cost, high reward. If you’re a cybersecurity professional, information technology professional or a member of the C-Suite, always remember patience is a virtue. Lead by example, set the bar high and train, train, train.
Excuses are gone, accountability is here
Being part of a digital world means being a potential target. However, we still continue to hear many of the same excuses for not taking cyber serious. One I frequently hear is “we’re too small of a company to be a target.” According to a Forbes article, 57% of small business owners feel they won’t be targeted for cyberattacks. In reality, as reported by Verizon Data Breach report, small businesses are target #1 for criminals and represented 43% of all data breaches.
Criminals see a benefit from attacking small businesses. They can be the entry point to invade the networks of larger companies with whom they do business. As we’ve said for years, third-party risks are among our greatest.
A good use case is the recent Target data breach. Hackers gained access to Target servers through stolen credentials of a third party. They basically phished the third party for this information which turned out to be a local HVAC company that was absolutely convinced they were too small. I am willing to wager none of their employees had ever been exposed to cybersecurity training.
Every bank of any size is a potential or even likely target. Allow me to remind you of what the infamous early 20th century bank robber Willie Sutton postulated as his motivation, “Because that’s where the money is.” Banks have been a target since the beginning of the industry, which led to the creation of some creative ways to combat bank robbers. Various tactics are still in place, such as using armed transport, but we’ve also evolved. Instead of stage coach, it’s now armored vehicles. Cybersecurity is just the next step in this evolution.
Zero Trust era begins
Trust oftentimes unnecessarily enters the fray when newly imposed security measures are put into place. That’s when we hear “We trust our employees” or “Don’t you trust me?” Security measures aren’t about assigning value to our personal relationships. It is about accepting the evolution of technology and understanding the role it plays in our lives.
For example, when rolling out multi-factor authentication (MFA), employees will often say they have a strong password, but don’t divulge their use of that same password on social media sites, bank accounts, personal email accounts, etc. The bottom line is humans make mistakes.
I can verify this by reviewing the business email compromise report each month. In one report: 220 emails found, 171 identities found and 135 unique breaches. Users were found in publicly available breaches that contained either cleartext passwords or password hashes. Credential information such as this makes these users prime targets for attackers who may be able to use just this data alone to gain unauthorized access to systems. So don’t second guess why you use MFA.
To be successful, we need to embrace the “zero trust” digital movement in play. It’s the catchy slogan this year for cybersecurity, and is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeter, but instead must verify anything and everything trying to connect to its systems before granting access. It can be done but we have to change the company culture.