Everyone should be concerned about cybersecurity, especially as adversaries launch a wide range of cyberattacks on the nation’s businesses and institutions, disrupting how people live, work, conduct business and seek services from the government.
According to Verizon’s 2022 Data Breach Investigation Report, this year 82 percent of breaches involved the human element. Whether the breaches were the result of stolen credentials, phishing, misuse or simply an error, people continue to play a significant role in incidents and breaches.
Cybersecurity is not just about the technology; it is also about people.
So, “See Yourself in Cyber,” is an apt theme for this year’s Cybersecurity Awareness Month.
This year’s campaign illustrates that cybersecurity is complex, but it is really about the people, according to the Cybersecurity and Infrastructure Security Agency (CISA). To that end, this October the focus is on the “people” part of cybersecurity, ensuring that everyone from individuals to organizations make smart decisions whether they are on the job, at home or in school.
CISA and the National Cyber Security Awareness System recommend four things that people can do throughout this month and beyond:
- Enable Multi-Factor Authentication
- Use Strong Passwords
- Recognize and Report Phishing
- Update Your Software
See Yourself in Cyber No Matter Your Role.
Cybersecurity is part of a large eco-system from individuals working from home or in the office, to vendors and suppliers who must prevent incidents at their locations or further down the supply chain, to owners and operators of the systems that support critical infrastructure. Everyone is part of a larger system of networks, susceptible to sophisticated and stealthy attacks that are wreaking havoc worldwide.
Intrusions on the Rise
Intrusions are intensifying as complexity in networks and technology escalates. Over the past year OverWatch, CrowdStrike’s managed threat hunting service, observed a near 50 percent increase in interactive intrusion campaigns. In the most recent quarter, from April to June 2022, OverWatch uncovered more intrusion campaigns than in any previous quarter, according to the 2022 Falcon OverWatch Threat Hunting Report. Technology, telecommunications, healthcare, manufacturing and academia were the top 5 industries most frequently targeted by interactive intrusion activity.
Companies, large and small must establish “real, robust internal security programs” to look at risk in a meaningful way—whether the risk is the insider threat or a cyber threat, Robert Sheldon, director of public policy and strategy with CrowdStrike, said during testimony at a recent Senate hearing on Protecting American Innovation.
Security Awareness Training: A Growing Necessity
At the same time, organizations need to establish a mature security awareness program to reduce human risk. An awareness program can help reduce risk by changing how people think about cybersecurity. Employees must be effectively trained about potential threats to their company’s information and how to avoid situations that might put their organization's data at risk.
According to The SANS 2022 Security Awareness Report: Managing Human Risk, the top concerns of security awareness professionals are:
This includes any type of phishing attack, including email-based phishing, SMS-based smishing, and voice-based vishing.
- Business Email Compromise (BEC)
BEC, or CEO Fraud, is a highly targeted, fraud-based attack normally targeting an organization’s accounts payable department. The cyber attacker creates a believable email requesting either a payment or a change in payment information.
Most ransomware infections either start with a phishing attack or with exploiting weak passwords, both human-based risks.
Don’t Short Shrift Applications
A year and a half ago, the White House released The President’s Executive Order on “Improving the Nation’s Cybersecurity, with a focus on zero trust and endpoint detection and response (EDR) solutions to better identify, deter, protect against, and respond to cyberattacks. It’s a model that any organization can follow.
Zero trust is based on the tenant that no network can be inherently trusted. Agencies must achieve specific zero trust security goals by the end of Fiscal Year (FY) 2024, according to the Office of Management and Budget (OMB). These goals are organized using the zero-trust maturity model developed by CISA. The model describes five complementary areas or pillars: identity, devices, networks, applications and workloads, and data, with three themes that cut across these areas: visibility and analytics, automation and orchestration, and governance.
While all the pillars are important, it is crucial that agencies pay particular attention to application security. Agencies are instructed to treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
These actions are critical considering findings in application security vendor Veracode’s latest software report. Compared to other sectors, applications used by government agencies have the highest rate of known security flaws, according to the State of Software Security (SOSS) annual report. Analyzing data from 20 million scans and half a million applications, researchers found security flaws in 82 percent of public sector applications.
We Are All Interconnected
In today’s world, the digital infrastructure we rely on for every aspect of our lives is deeply interconnected using shared communications, software, and hardware. As a result, our organizations are susceptible to vulnerabilities on a global scale.
Here at Yes&, we recognize that cybersecurity is a shared responsibility. We are doing our part, applying multi-factor authentication, flagging colleagues about suspicious email and the latest security alerts, and keeping security patches and controls up to date. At the same time, Yes& works with leading cybersecurity and technology companies at the forefront of ensuring that our interconnected world is safe for everyone, and the nation’s critical infrastructure is resilient enough to withstand all manner of attacks. For these companies and their government and business clients, cyber hygiene, resilience, and vigilance is a 24/7/365 responsibility…all starting with the human element.