National Cybersecurity Awareness Month (NCSAM) is now in its 18th year, initially launched by the Department of Homeland Security and the National Cyber Security Alliance to ensure organizations and consumers are ready to take on the cybersecurity landscape.
Since its inception, Cybersecurity Awareness month has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions and others across the U.S.
This year, ransomware attacks have disrupted schools, healthcare organizations, fuel pipelines, food suppliers, and several organizations, often resulting in disruptions that have impacted public health, the supply chain, and national and economic safety and security.
The theme for 2021 is ‘Do Your Part. #BeCyberSmart,’ helping to empower individuals and organizations to own their role in protecting their part of cyberspace.
Throughout October, the National Cyber Security Alliance will focus on the following areas in promotions and outreach:
October 1: Kick-off
The National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency invite you to celebrate Cybersecurity Awareness Month 2021 this October to raise awareness about the importance of cybersecurity and ensure that all individuals and organizations have the information and tools they need to be safer and more secure online. “Do Your Part. #BeCyberSmart.”
Week of October 4 (Week 1): Be Cyber Smart
As our lives have become increasingly dependent on technology, virtually all personal and business data is kept on internet-connected platforms, which can become a gold mine for bad actors. The first full week of Cybersecurity Awareness Month will highlight best security practices and focus on general cyber hygiene to keep your information safe. Own your role in cybersecurity by starting with the basics. Creating strong passwords and using multi-factor authentication, backing up data, and updating software are great places to start. This is a great way to Do Your Part #BeCyberSmart!
Week of October 11 (Week 2): Fight the Phish
Phishing attacks and scams have thrived since the COVID pandemic began in 2020, and today, phishing attacks account for more than 80 percent of reported security incidents. Week 2 of Cybersecurity Awareness Month will stress the importance of being wary of emails, text messages or chat boxes that come from a stranger or someone you were not expecting. Think before you click on any suspicious emails, links or attachments and make sure to report any suspicious emails if you can!
Week of October 18 (Week 3): Explore. Experience. Share – (Cybersecurity Career Awareness Week)
Week 3 of Cybersecurity Awareness Month will highlight the Cybersecurity Career Awareness Week led by National Initiative for Cybersecurity Education (NICE). This is a week-long campaign that inspires and promotes the exploration of cybersecurity careers. Whether it’s students, veterans, or those seeking a career change, the dynamic field of cybersecurity is rapidly growing and has something for everyone.
Learn more about Cybersecurity Career Awareness week here.
Week of October 25 (Week 4): Cybersecurity First
Week 4 is all about making security a priority. For businesses, this means building security into products and processes. Make cybersecurity training a part of employee onboarding and equip staff with the tools they need to keep the organization safe. For individuals, keep cybersecurity at the forefront of your mind as you connect daily. Before purchasing a device or online product, do research. When setting up a new device or app, consider security and privacy settings and update default passwords. Cybersecurity should not be an afterthought.
Commenting on the significance of NCSAM, here, security leaders provide best practices and champion preparedness. Read on, and feel free to reach out with any feedback.
Josh Rickard, Security Solutions Architect, Swimlane:
Cybersecurity Awareness Month serves as a timely reminder for companies to reevaluate their cybersecurity posture after a tumultuous year of cyberattacks across industries.
The dramatic spike in ransomware and supply chain attacks illustrates that every company, regardless of vertical, is a software company, and security will only continue to rise in importance when it comes to ensuring the continued operations of the business.
To protect valuable information and prevent breaches, enterprises must invest in multi-faceted platforms that centralize and automate detection, response and investigation protocols. Security teams need complete visibility into IT environments, and the ability to respond in real-time to limit the consequences should a cyberattack occur.
By automating and centralizing security processes, organizations can reduce the chance of human error while achieving infinitely smoother execution of security-related tasks and ultimately ensuring that highly sensitive personal information is kept safe and secure.
Jason Rebholz, CISO, Corvus Insurance:
In light of Cybersecurity Awareness Month, it’s critical for organizations to focus on where they can multiply their security efforts. As we look back on 2021, we saw Cyber Insurance pushed into a negative spotlight, raising concerns that it may have contributed to the rise in ransomware attacks. It’s crucial that we dispel the falsehoods and instead educate on the positive impact cyber insurance has for organizations individually and industries as a whole.
Insurance carriers are an integral component of setting minimum standards for security solutions and technologies across all industries. There is a shared interest between insurance carriers and their policyholders to mitigate risk and keep businesses up and running free of security incidents. Carriers can become an ally and force multiplier for organizations of every size by delivering access to best practices and more affordable security solutions that don’t compromise on quality. Organizations that implement cyber insurance will undoubtedly be better armed to protect themselves against the growing cyber threat environment.
James Hadley, CEO and co-founder of Immersive Labs:
Although cybersecurity awareness should stretch further than one month, October serves as an important reminder that organizations should be preparing their teams for cyber threats year-round, no matter how big or small.
This year has made it abundantly clear that cyber risk management cannot be left to just a few experts in the security team. Cyber risk now impacts financial, reputational, regulatory, legal, and technical teams. That means the responsibility for mitigation and response now falls on a much broader range of people across the entire workforce. All must be ready to respond and should have the necessary knowledge, skills and judgment to mitigate this ever-growing, fast-paced risk.
Stephen Cavey, co-founder and Chief Evangelist, Ground Labs:
First, I advise organizations of any size to collect only the data they need. When it comes to personal data, particularly medical-related data, there is no such thing as “nice to have” — only what you must collect in order to run your business and deliver your product or service. The consequences of over-collecting personal data are highly visible as the number of reported data breaches continues to rise.
Secondly, this sensitive data must only be accessible on a “need-to-know” basis, and organizations should set that “need-to-know” threshold at the highest possible level. When we think about security within our organizations, we often forget that employees do represent a significant risk to the likelihood of a security breach, which often occurs without their awareness due to an unintended action such as clicking on a malicious email. With a dispersed workforce becoming the norm, ensuring that employees understand the required confidentiality and appropriate handling of customer data is critical to meeting increasingly challenging privacy regulations and ultimately honoring the trust that a customer has placed on your organization with their data.
Finally, with over 70% of organizations not fully understanding where all their data is located, I strongly urge organizations to make data awareness a priority. The technology to achieve this is readily available using sensitive data discovery to map out where all PII data lives within your organization. Through this process, you will quickly learn where data is created, who has access to it and gain accurate insights into what risks exist around data that require immediate attention.
John DeSimone, Vice President of Cyber, Training & Services, Raytheon Intelligence & Space:
Being cyber aware requires constant diligence all year long, but it’s also necessary for organizations to take a step back to consider how their security strategies can be improved in order to continuously meet these challenges head-on. Cybersecurity is a multi-layered problem which is why every organization should test to reveal vulnerabilities.
I’d recommend vulnerability scanning monthly — weekly if resources allow it — and quarterly at a minimum. Penetration testing should be done at least annually, but bi-annually is better; critical apps or websites you’d want to test more often, especially after significant changes or releases, to ensure that a new vulnerability wasn’t introduced. I’d also recommend a Red Team exercise, which mimics what adversaries may attempt to do to break into your organization, to test your security team, as well as the detections and controls that you have in place. This should happen at least once a year or when major changes are implemented. These real-world tests will help any organization determine how well they can detect malicious activity that other testing won’t find.
Finally, I suggest implementing a Zero Trust framework, where you continually assess your organization’s security posture (yes, even internally). Zero Trust Security relies on multiple technologies that continuously scan and monitor your users, devices, networks, workload, and data to detect suspicious and malicious behaviors.
David Friend, co-founder and CEO, Wasabi Technologies:
As the former CEO of backup company Carbonite and now co-founder and CEO of Wasabi Technologies, I’ve seen many companies spend so much time and money on intrusion prevention and detection against ransomware. But it’s a losing battle because cybercriminals will always find a way to get in, and vulnerabilities are not always technical – they depend on people never making a mistake.
One underutilized way to protect your data against cyber threats and ransomware is through object-level immutability in your cloud storage, which means certain files and stored objects cannot be modified or deleted by anyone, even a systems administrator. If you store your backups in immutable buckets, ransomware hackers can’t delete or encrypt your backups. Ransomware hackers know that if you can restore your systems from backups, they are unlikely to be able to extort ransom from you. So they try to destroy backups at the same time they are encrypting your primary data. But if you have done your backups properly, when you get attacked by ransomware, you should be able to start fresh and restore your entire system from backups.
No amount of high-tech prevention will stop ransomware attacks because most of the time, the vulnerability is with the humans, not the machines. So my advice is to do the best you can on the prevention side, but more importantly, do complete backups, store them in immutable object stores, and test that you can successfully do a full restore before you get hit.
David Bradbury, Chief Security Officer, Okta:
Cybersecurity Awareness Month is especially crucial this year as we’ve seen cyberattacks become more sophisticated and more destructive across all industry sectors. If the past year has taught us anything, it’s that it has never been cheaper or easier to launch a cybersecurity attack. As leaders, we must remain continuously vigilant to thwart these emerging threats and keep cybersecurity a top priority for every company. To meet the demands of today’s modern users and avoid becoming the next victim of a cyberattack, organizations must move toward a Zero Trust security model and adopt strong authentication across all services, everywhere — from on-premises to cloud, to mobile, and for employees as well as customers, partners, contractors, and suppliers. In order to maintain this level of vigilance, cybersecurity leaders should keep their team’s well-being top of mind by hiring globally, regularly checking the ‘pulse’ of your team’s work and stress levels, and being open about the organization’s broader strategy - these are all key to addressing potential sources of burnout across multiple touchpoints. With our industry also facing massive skills gap challenges, it’s also important for cybersecurity leaders to empower their employees to properly train and mentor young IT professionals who will go on to become the security teams of the future. This month should be much more than just a time of awareness for organizations — it should be a call to action to start (or bolster) their Zero Trust journey, address and correct sources of burnout, and keep an eye on the future development of the profession to meet the evolving challenges in our increasingly identity-centric world.”
James Christiansen, VP of Security Transformation, Netskope:
This is Netskope’s second Cybersecurity Awareness Month during the COVID-19 pandemic, which has given us the opportunity to reflect and recognize how we can move the industry forward. As part of this awareness, it is our responsibility to redefine ‘Zero Trust’ so that it is more adaptable for companies to implement into their security. This type of trust is at the core of secure access service edge (SASE), which will connect security products across infrastructures and help companies make complex decisions around trust.
According to a recent report, 70% of users continue to work remotely as of the end of June 2021. During an era when organizations are learning to navigate a hybrid workforce, it is critical that companies have secured their data, which is now being accessed on an abundance of servers. The Great Resignation has shown us that there is a large opportunity to change the security architecture for companies at high risk of employees leaving and taking data with them. In fact, departing employees upload three times more data to personal apps in the last 30 days of employment. Additionally, many companies are adopting a remote-first approach while onboarding workers all over the country, which calls for a change of traditional security systems and is a large opportunity for cybersecurity companies to offer innovative solutions.
Realistically, we can never have an environment with no trust because this would mean we have zero interactions. The key to achieving continuous adaptive trust is by having a view of our risks at all times. This includes identifying users, classifying the data being accessed, and looking at the applications used on the network. This will help us better understand who is causing the risk, where it is coming from, why they are doing it, and how this will affect company data. By considering these threats, companies can begin their journey to SASE architecture and be better prepared for the risks they face on a daily basis.
Robert Prigge, CEO, Jumio:
“The amount of large-scale cybersecurity breaches we’ve witnessed in the last year highlights just how creative cybercriminals will get to steal sensitive data and sell it on the dark web. The number of reported identity theft cases more than doubled from 2019 to 2020, while the number of reported data breaches escalated 38% from the first to the second half of 2021. With traditional online verification tools such as knowledge-based authentication and passwords, organizations will continue to place consumers’ personal information at risk of being compromised.
Cybersecurity Awareness Month encourages security leaders and executive decision-makers to modernize their security practices in order to adapt to the increased sophistication of fraudsters. In today’s cybersecurity climate, organizations must move away from outdated, obsolete authentication methods and implement more advanced identity verification solutions, like face-based biometric authentication, that confirm online users are truly whom they claim to be. This month is also important for educating consumers on safeguarding their digital identity and managing personal data consent rights online. These best practices are crucial to keep data away from the hands of malicious actors.”
Anurag Kahol, CTO and Cofounder, Bitglass:
From cloud misconfigurations exposing massive amounts of sensitive data online to ransomware attacks severely impacting critical infrastructure, this past year has underlined the inherent lack of proactive security across organizations of all sizes. As we move toward a new era of hybrid operations post-pandemic, the sophistication and frequency of cyberattacks will only continue to increase at an exponentially higher rate. Organizations must be prepared to face the evolving threat landscape to protect their employees, corporate infrastructure and sensitive data.
International Cybersecurity Awareness Month serves as a reminder for enterprises to make security a strategic imperative. A vigilant security posture starts with implementing a unified cloud security platform, like secure access service edge (SASE) and security service edge (SSE), that replaces various disjointed point products and extends consistent security to all sanctioned cloud resources while following a Zero Trust framework to prevent unauthorized network access. Additionally, enforcing comprehensive cybersecurity training for all employees, hiring security experts and continuously monitoring and enhancing cybersecurity postures will ensure organizations are properly equipped to defend their modern operations.
Joe Partlow, Chief Technology Officer, ReliaQuest:
The events of this past year have put a magnifying glass on the longstanding issues many organizations are unfortunately faced with year-round. While each October we celebrate National Cybersecurity Awareness month as a reminder to prioritize such initiatives, the cybersecurity industry should instead use this as a moment - and an opportunity - to consider what can or needs to be done to make organizations more secure every day. Whether that’s educating employees about the dangers of social engineering and phishing, using MFA whenever possible, avoiding password reuse and administrative privileges or implementing more fool-proof policies and procedures for employees, these changes must have a lasting impact to reduce the risk at home and in the workplace.
Despite headway this year, with organizations working to achieve a stronger risk-based security posture all year round, a recent study from Ponemon Research found that there’s still ample work to be done. For example, 64% of security leaders believe the primary obstacle to implementing IT security risk management is a lack of standardized metrics to measure progress. Additionally, while 57% of organizations prioritize secure cloud migrations and another half are looking to implement Zero Trust, the majority are still held back by the lack of visibility. In short, most still lack operational efficiencies and actionable metrics that prevent them from detecting threats and making meaningful changes to their security posture. Constantly staying on top of security operations and visibility couldn’t be more critical in today’s landscape. Teams must be empowered with the proper support, technology and resources to get the job done right.
Nadav Arbel, co-founder and CEO, CYREBRO:
“Cybersecurity Awareness Month reminds organizations of all sizes to recognize the need to strengthen their security to prevent potentially devastating attacks. Most SMBs don’t have the resources to build strong cyber defenses, yet they remain the most vulnerable. The existential challenge faced by SMBs is to somehow find a way not just to protect attack vectors aimed at endpoints, applications, and cloud environments, but to develop a deep understanding and complete picture of all potential risks. Being aware of the need, recognizing the potential threats, and acknowledging that it’s every organization’s responsibility to take proactive security actions is the starting point to tackling the cybersecurity challenges.
This is especially significant with ‘drive-by’ attacks on the rise, as the number of detected malware types stood at 28.84 million ten years ago, and reached nearly 678 million in 2020. Vulnerabilities have also increased as employees work from home (outside of the controlled company environment), and supply chains have emerged as a new attack vector.
It’s imperative that SMBs become aware that if they haven’t been attacked, or don’t recognize that they have been, they are in danger. That isn’t the end of the story. Equally critical, they should know that there is a solution for them that is both affordable and comprehensive. Security operations centers (SOCs) enable SMBs to aggregate the state of their networks and systems and quickly determine if there have been any breaches and remediate them. These technology and cyber analyst-driven SOCs are now affordably available through the cloud and should be considered a central element in their solution to cybersecurity.”
Almog Apirion, CEO and co-founder, Cyolo:
“Cybersecurity Awareness Month is the perfect time to emphasize just how critical employee awareness is to improving your organization’s security posture. Security awareness starts at the individual level, and it’s imperative to practice and put users from all departments, not just IT and security, in front of real attack scenarios. To be successful at deterring hackers, organizations must also train their people to not be fooled by common attack scenarios or social engineering schemes. Sending a monthly brochure about cyber risks or doing an annual training simply isn't enough.
Steps taken this year by the White House to bulk up cybersecurity defense and adopt a Zero Trust approach on the federal level are a welcome sign and another development worth celebrating this month. But while these efforts are greatly needed to fight the increase in ransomware and other cyber attacks, they can’t be limited to just government organizations. Whether or not they’re officially mandated to do so, all businesses today need to fine tune their own security postures and consider new approaches, such as Zero Trust, to fight the abundance of cybersecurity threats.
With security frameworks like Zero Trust in place, critical infrastructure attacks such as the high-profile Colonial Pipeline incident would not have had the same impact. Zero Trust cloaks the network from attackers. Therefore, it would have prevented the attackers from finding and accessing the valuable, operation core systems. Even if the attackers would have been able to find the crown jewels, enabling multi-factor authentication to all assets, even apps that aren’t MFA-ready, ongoing device and user authentication would have prevented access in any case. This should act as a fundamental building block to zero trust and to becoming a security aware organization.
At the end of the day, Cybersecurity Awareness Month is a great time to implement security best practices or begin your journey to Zero Trust security. However, for real success, every month of the year needs to be security awareness month."
Simon Aldama, CISSP, Principal Security Advisor, Netenrich:
C-level support in preparing an organization to withstand an attack is key. Without executive sponsorship personally responsible for workstreams, there is no accountability for the outcome in addition to the operationalization of new risk mitigation techniques. Executives utilizing relationships with expert third parties can quickly prioritize remediation of control gaps by implementing adversary emulation and threat modeling to outline the behavior of persistent threat groups in a proactive manner rather than after the incident.
Joseph Carson, chief security scientist and Advisory CISO, ThycoticCentrify:
As Cybersecurity Awareness Month kicks off, one piece of advice I have for anyone is never be afraid to ask for advice. If you see something you’re not quite sure about, ask a colleague or a friend for advice before you click or open an attachment. Organizations should have a cyber ambassador that can offer advice before staff fall victims to ransomware or a piece of malware that will steal their credentials. Asking for help is the cyber smart move.
Patricia Thaine, CEO & Co-Founder, Private AI:
What we're observing is that more demand is being placed upon developers to figure out how to comply with data protection and cybersecurity regulations, with few tools in their arsenal to do so reliably. Several still rely on regular expressions to discover personal information and remove it from very messy text, for example, leading to very faulty "data protection" systems built by non-experts, often due to an expectation from management that they should build everything themselves. As developers' data protection education advances and as more data leaks and privacy violations occur due to faulty internal systems, we will start to see a growing understanding that, just like cryptography, most people should not be building their own privacy technologies.
Pieter Luitjens, CTO & Co-Founder, Private AI:
Having spent the last decade of my life putting AI models into production in environments that require the utmost robustness and observing time and time again how these models even outperform humans in both classification accuracy and, of course, speed, it is no surprise to me that we're seeing an explosion of AI being used in the cybersecurity, data protection, and privacy spaces. Over one trillion MB of data is produced every day, with more than 80% of it being unstructured. Robustly trained AI is the only way to reliably deal with these massive volumes of unpredictable data.
Do you agree with experts? Share your expert opinion below!