Security Experts:

Another Cybersecurity Awareness Month Has Passed and Little Has Changed

Last month we celebrated the 18th year of the Cybersecurity Awareness Month, which was previously known as National Cybersecurity Awareness Month. Under the slogan “Do Your Part. #BeCyberSmart”, the Cybersecurity and Infrastructure Security Agency (CISA) together with the National Cyber Security Alliance (NCSA) each year encourage individuals and organizations to own their role in protecting cyberspace by emphasizing personal accountability and the importance of taking pro-active steps to enhance cybersecurity.

Unfortunately, not much has changed since last year. Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyberattack. In fact, the Identity Theft Research Center reports the number of data breaches so far this year has already surpassed the total number in 2020 by 17 percent.

And, when it comes to breaches, the sudden shift to remote working hasn’t helped either. Many companies had to adopt a “move first, plan later” approach and leave their network-centric security bubble behind that allowed IT teams to own and control most of the network. Ultimately, punching holes in existing security controls in the name of business continuity created vulnerabilities and exposed many organizations to increased risks. Cyber adversaries capitalized on the rapidly changing environment by intensifying their attacks and targeting the weakest link in the attack chain – the remote worker.

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment. Ultimately, hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials.

The reality is that many breaches can be prevented using some basic cyber hygiene tactics, coupled with a Zero Trust approach. Yet most organizations continue investing the largest percentage of their security budget on protecting their network perimeter rather than focusing on security controls which can actually effect positive change to protect against the leading attack vectors: credential abuse and endpoints serving as main access points to an enterprise network.

This is a big mistake. Implementing an effective enterprise security strategy requires an understanding of hackers’ tactics, techniques, and procedures (so-called TTPs). In this context, it is vital for security practitioners to review the entire cyberattack lifecycle to gain a full grasp of the areas that need to be addressed as part of an in-depth cyber defense approach.

Here are three best practices for defeating most attacks, hopefully making the need for future Cybersecurity Awareness Months obsolete. 

Go Beyond Passwords

Simple static passwords are not enough, especially for sensitive enterprise systems and data. With static passwords, how are you supposed to know if the user accessing data is the valid user or just someone who bought a compromised password from the millions that can be found on the Dark Web? You can’t trust a static password anymore. Organizations need to realize that multi-factor authentication (MFA) is the lowest hanging fruit for protecting against compromised credentials.

Focus on What Matters Most

Gartner estimates that global spending on cybersecurity will hit $155 billion annually in 2021, yet the breaches keep on coming. That’s probably because a large chunk of that money is being funneled toward solutions that don’t address modern security problems and cover the ever-growing attack surface of modern enterprises. Hackers, for their part, are taking advantage of the fact that organizations and their workforce are relying on mobile devices, home computers, and laptops to connect to company networks to conduct business. In turn, these endpoint devices become the natural point of entry for many attacks. In fact, a recent Ponemon Institute survey revealed that 68 percent of organizations suffered a successful endpoint attack within the last 12 months.

Understanding not just the tail end of the cyberattack kill chain, but also focusing on initial attack vectors like endpoints provides a roadmap for aligning preventive measures with today’s threats. It is vital to maintain granular visibility and control over access points to prevent and remediate vulnerabilities that can and often will surface on them. In today’s work-from-anywhere era, assuring endpoint resilience is a vital element of a successful in-depth cyber defense strategy.

Put your Trust in Zero Trust

Zero Trust means trusting no one – not even known users, applications, or devices – until they have been verified and validated. Zero Trust principles help enterprises enforce dynamic, contextual network access policies to grant access for people, devices, or applications. This entails analyzing device postures, application health, network connection security, as well as user activity to subsequently enforce pre-defined policies at the endpoint rather than via a centralized proxy. 

For most organizations, the path to Zero Trust should start with identity paired with endpoint resilience to create a more secure work-from-anywhere user population. Applying Zero Trust principles can help companies avoid becoming the next breach headline, including the brand damage, customer loss, and value degradation that typically comes with it.

Conclusion

Organizations have to assume that bad actors are in their networks already. Before the next Cybersecurity Awareness Month comes along, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as MFA and endpoint resilience. This will help them stay ahead of the security curve and ultimately remove the need for an awareness month after all.

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).