Cybersecurity Awareness Month: Are you covering all bases?

With 39% of UK businesses, 36% of primary schools and 26% of charities reporting a cyber attack over the last year, it’s clear that cybersecurity is an issue that no organisation or individual can afford to ignore. However, it can all too easily fall down the priority list. Therefore, as we reach the end of Cybersecurity Awareness Month, it’s worth taking the time to recommit to strong cybersecurity. 

As Christopher Rogers, Technology Evangelist at Zerto, a Hewlett Packard Enterprise company, states: “Cybersecurity Awareness Month offers the opportunity to examine our own internet security habits and ensure that the correct infrastructures are in place to handle the ever-present threat of a cybersecurity attack.”

With that in mind, FE News spoke to 14 experts to get their insights on best security practices. 

Back to basics

Many of the fundamentals of good cybersecurity are relatively simple, yet are still too often forgotten. When reevaluating your security strategies, it’s worth taking the time to ensure that all of the basics are in place.

For example, Andy Bates, Practice Director – Security at Node4, highlights the importance of effective passwords: “Even with multi-factor authentication and other access controls in place, having a good base password is important. It is your first and last line of defence. 

“There is much debate on how to get a good password – a mixture of upper and lowercase letters, mixed with numbers or special characters, using three words or a memorable phrase. This is all great advice – a password like f1shridesb1Cycle or manb1tesd0g is very complex to guess, but a phrase that will stick in your mind (hopefully!). At the end of the day, the longer the password is the better. It takes seconds to crack a 6 letter lower case password but 10 years for an 11 character password.” 

“Whilst often taken for granted, passwords are the first line of defence against malicious activities in the digital space. Using different passwords for different sites and services, regularly changing passwords, and implementing Multi-factor authentication (MFA) where possible, is key,” agrees Raffael Marty, General Manager of Cybersecurity at ConnectWise.

Donnie MacColl, Senior Director of Technical Support at HelpSystems, urges everyone to “go ahead, grab a coffee and take timeout to change all your passwords to be unique and difficult to guess, and make sure all your software is on the latest version to reduce the chance of attack. You’ve got this, and if you are not sure of the best way to be secure, just ask!”

The risk of insider threats

Often time, effort, and resources are spent defending organisations from outside attacks, meaning a key risk factor is often overlooked: the insider threat. As Eric Bassier, Senior Director Products at Quantum, explains, “cybersecurity threats are not always the result of malicious actors. With research indicating that employees account for 63% of all incidents, cybercriminals are discovering new and innovative ways to trick employees with ransomware-enabling links. The effects of these attacks can result in complex malware destroying computers and computer systems, with organisations suffering data loss and credential theft.”

One way of dealing with these kinds of insider threats is User and Entity Behaviour Analytics (UEBA). “This technology uses machine learning to create a baseline of employee and system activities, learning patterns and understanding what a normal day, week, and month looks like to a business,” outlines Matt Rider, VP of Security Engineering EMEA at Exabeam. “Once this has been established, any deviations from the norm are flagged instantly and the IT team can take immediate action to remediate a potential threat.”

Insider threats must also be considered at the development stage, notes Yakir Kadkoda, Lead Security Researcher, Team Nautilus at Aqua Security, who warns of the risks of cote leakage. “It’s vital to have secure development processes in place, with SAST and DAST scans as well as secret scans,” he argues. “For best practice, developer teams should treat all of their code as if it were open source. Teams working on open source projects are used to assuming their code is visible to everyone, and work to ensure that it has as few vulnerabilities as possible. The aim should be to create code that will cause minimal damage if it’s exposed.”

Time for training

One way to reduce the risk of insider threats is to install a strong cyber security culture. As Scott Boyle, Head of Information Security, Totalmobile, outlines: “It’s crucial that organisations ensure that all of their employees are fully trained in the latest cybersecurity measures so that they can avoid any kind of insider risks. It’s also important that organisations – where possible – implement mobile solutions that have strong cybersecurity measures built in, so that they are protected even when out on the road.” 

“Cybersecurity training is vital to defend against phishing attacks and malicious threats,” adds Okey Obudulu, CISO at Skillsoft. “However, it can’t be a half-hearted effort. Too often, cybersecurity training is seen as a one-off quarterly session, bolted on to the employees’ ‘real’ work. Instead, it should be incorporated into day-to-day activities, so there is always a strong engagement with security policies. Ensuring cybersecurity personnel are engaged with and directly feeding into training is the best way to ensure the entire workforce is fully aware of its responsibilities.” 

“All it takes is a single slip-up to potentially damage not only your organisation’s bottom line, but its reputation and trust with partners, customers, and employees,” adds Daniel Marashlian, CTO at Drata. “To mitigate these risks, implementing a strong cybersecurity program that works alongside your compliance program can serve as a critical protection layer, keeping your data away from would-be attackers.

“By establishing cybersecurity standards in your teams and baking security awareness into the company-wide culture, organisations can empower their employees with the first tool for defence— education.”

Richard Barretto, CISO at Progress, agrees: “Many recent high-profile breaches have been the result of successful phishing attacks or the malicious use of multi-factor authentication (MFA). Things like preparing employees with how to handle MFA fatigue or deploying a phishing simulation program are easy ways to keep your teams engaged and alert. To initiate measurable change within your organisation, training and communication efforts should be consistent and not only focus on behaviours for employees to follow at work – but can help protect them at home too.”

Prepare for the worst

The final crucial component of any cybersecurity strategy is understanding that even the best defence may not always be enough. It’s therefore vital to prepare for the worst. 

“This Cybersecurity Awareness Month and beyond, organisations should take proactive steps to enhance cybersecurity, such as updating incident response plans, prioritising company-wide cybersecurity awareness training, and limiting access to critical data on a ‘business need to know’ basis,” explains Jeff Sizemore, Chief Governance Officer at Egnyte. “It’s time that cybersecurity is no longer considered to be an optional budget line-item. Cybersecurity is not just something that highly regulated industries or critical infrastructure need to be concerned with; today’s environment has made this a necessity for all organisations, no matter the size or tenure.”

Gal Helemski, CTO and co-founder at PlainID argues that “organisations must adopt a “Zero Trust” approach, which means trusting no one to begin with – and revalidating the identity is approved for access at every stage, based on context. Building a strong defence is fantastic and much recommended as a layer for staying protected against adversaries. However, once a user is compromised, especially one with administrative credentials, they are already in your network and limiting movement is key to avoiding continental damage and risk.”

Another way to limit the damage is to ensure that data is recoverable. Hugh Scantlebury, CEO and Founder of Aqilla, advises organisations to “check whether disaster recovery and automated backup are taking place (and with what frequency) within your SaaS environments. That way, if the worst does happen and you’re stung with a DDoS or other malware attacks, you can quickly recover your data. This is essential as a quick recovery means you’ll get back to regular business without impacting customer service or breaching any data protection regulations.”

Eric Bassier, Senior Director Products at Quantum, agrees, asking: “How can organisations truly see themselves in cyber and create an appropriate recoverability system in the event of an attack?”

“The answer is to keep three copies of data – one primary, plus two backups – and to keep those backups of different media types like disk and tape. For a company’s primary backup storage, they need to integrate a high-speed disk or flash-based infrastructure which employs immutable snapshots to protect backup datasets. For the last line of defence, tape libraries should be utilised, providing an option for secure, offline storage to keep a copy of the data in the case of a damaging attack.”

If organisations can keep all of these tips in mind, and work to build a strong cybersecurity culture, they stand a much better chance of avoiding or recovering from cybersecurity attacks.