It’s that time of year again — Oct. 1 marks the start of National Cyber Security Awareness Month (NCSAM). Now in its 16th year, NCSAM is designed to help enterprises and end users better address specific challenges and identify key opportunities for positive change.
This year, the month-long messaging focuses on a trifecta of security themes: encouraging personal accountability, developing proactive behavior and drawing attention to careers in cybersecurity. It’s a model of shared responsibility that recognizes a critical shift in security as the line between our online and offline lives becomes indistinguishable. The eventual destination will be a unified approach that treats all data as valuable and all users as cybersecurity stakeholders.
But to get where we’re going, we need to know where we’ve been. Here’s a quick look back at the state of cybersecurity in 2019 and how this year’s NCSAM themes can help boost infosec impact.
The Year in Review
Cybersecurity in 2019 was defined by two key trends: lack of staff and abundance of risk. As noted by ISACA’s “State of Cybersecurity 2019,” 58 percent of companies surveyed have unfilled infosec positions, and 69 percent said their IT security teams are understaffed. Sixty percent of security professionals said cyberattacks are “likely or very likely” this year, and half believe that most organizations underreport the amount of cybercrime they experience — even when reporting is mandatory.
This year, top threats included:
- Phishing — The old hook-and-sinker standby remains popular because it works. As Small Biz Trends reported, approximately one in every 99 emails is actually a phishing attack, and 30 percent of these malicious messages make it past security systems.
- Insecure APIs — Custom-built and open-source APIs are on the rise to help organizations streamline app development, but they also present opportunity for hackers if code isn’t properly encrypted and access isn’t effectively gated.
- Lacking data defense — 2019 saw more than its fair share of high-value data stored on improperly secured servers and databases. In some cases, data lacked even basic password protection and could be easily found using publicly available tools.
- Misconfigured clouds — As noted by Symantec’s “2019 Internet Security Threat Report,” misconfigured clouds cost companies millions in stolen records and compliance failures.
- Insider threats — While external actors often top IT worry lists, 60 percent of organizations experienced an insider attack over the last 12 months. Accidental or malicious, the results are the same: increased risk.
National Cyber Security Awareness Month 2019 Themes
Shifting away from the week-by-week approach of previous years, NCSAM 2019 features three overarching themes:
- Own IT — Take responsibility for IT security at all levels — from social media to mission-critical apps.
- Secure IT — Take steps to secure IT behaviors and limit attacker success.
- Protect IT — Take action to protect both device connections and data collection across the organization.
The Own IT theme focuses on encouraging personal accountability for user actions. While IT security has long been considered the domain of technology teams and C-suite executives, the democratization of mobile devices, cloud resources and always-on connections has created an environment of shared access that lacks the critical balance of shared responsibility.
Without a shared sense of security ownership, organizations face key challenges, including accidental oversharing of privileged data on social media sites and device applications given too-broad permissions — paving the way for potentially malicious code to infect corporate networks. With the vast majority of mobile applications still insecure by default, according to Forbes, and IT pros unable to keep pace with the rapid uptake of personal devices in the workplace, shared ownership of IT becomes fundamental to security.
Security teams can help end users own IT across the following key areas:
- Social media — Social media offers the potential for collaboration, and the risk of compromise. Here, education is critical to help users own their social behavior and recognize potential pitfalls.
- Privacy settings — The less shared, the better. Privacy settings should be set to limit who can see new posts, make comments or share data.
- Application use — Many apps ask for permissions they don’t need. By working with staff to vet potential apps and using mobile application management tools to detect suspicious behavior, security teams can strike a balance between responsibility and risk.
NCSAM’s Secure IT theme speaks to the need for stronger security practices that both protect day-to-day behaviors and also reduce overall risk. This is critical in a world where users spend more than five hours per day on connected devices, according to ZDNet. Smartphones, tablets and wearables are no longer additions to the everyday user experience — they form its core. As a result, more and more behaviors that were once conducted offline — such as financial and healthcare transactions — are taking place across a shared public resource.
But security best practices aren’t keeping pace with technological advancements: Users are still choosing exceptionally bad passwords and, according to Proofpoint, $1.2 billion was lost last year to email compromise attacks. For security teams, this means even small changes to typical behavior can help secure IT environments and limit potential exposure.
Best practices to help secure IT include the following:
- Promote better passphrases — Passwords are naturally insecure, offering little protection against automated or artificial intelligence (AI)-driven attacks. Strong, unique passphrases can help staff remember login credentials and frustrate hacker efforts.
- Factor in better authentication — Single-factor authentication makes it easy for attackers to gain access if they compromise usernames and passwords. Multifactor authentication (MFA) solutions that leverage text messages, tokens or biometric data provide a substantial security boost.
- Teach users to spot the hook — Phishing works. Teach users to spot the shiny hook of social engineering by looking for emails that are overly urgent, don’t follow typical formats or include unexpected attachments.
Protect IT focuses on the potentially risky practices of connection and collection. With wireless device connections now commonplace and companies collecting data at unprecedented speed and scale, protecting both how users access information online and also what they do with that information is critical to safeguard both IT systems and corporate reputation.
In many cases, users don’t recognize their actions as risky — with public Wi-Fi hotspots now ubiquitous, what’s the harm? As CSO Online pointed out, massive WPA2 flaws mean that most free Wi-Fi networks are inherently insecure. Collection of customer data, meanwhile, is essential to deliver value-added services that can keep pace with consumer expectations. But how this data is collected, handled, stored and eventually destroyed is now governed by multilayered, geographically diverse compliance requirements. Failing to meet regulatory expectations could result in fines, business sanctions and reputational damage.
To reduce risk and protect IT, security teams must implement the following:
- Regular security updates — Platforms, browsers and operating systems must be regularly updated to minimize overall risk. Your best bet is to establish a schedule to ensure this happens on time, every time.
- Wi-Fi safety training and technology — Public Wi-Fi carries risk, but internal Wi-Fi networks can also be compromised. IT staff must deploy key defensive measures, such as real-time network monitoring and virtual private networks (VPNs), to safeguard internal connections and teach staff how to recognize insecure connections.
- Secure data handling practices — Organizations must practice due diligence in data handling to meet compliance requirements. Here, robust identity and access management (IAM) solutions help ensure the right users have access to the right data at the right times, while strong encryption helps boost data defenses.
This year, National Cyber Security Awareness Month’s focus is clear: Cybersecurity is no longer confined to offices and corporate networks — IT is everywhere, any time and on any device. Improving cybersecurity means owning IT with shared responsibility, securing IT with behavioral best practices, and protecting IT with training and technology support.
Stay tuned all month for more NCSAM 2019 content from SecurityIntelligence!