For most folks, October is a month for ghosts and goblins, but for the last 15 years the Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA) have had a different emphasis: National Cybersecurity Awareness Month (NCAM).
Multiple organizations are joining the DHS and the NCSA in spreading this year’s NCAM theme, aimed at users of connected devices: “Own IT. Secure IT. Protect IT.”
“Our hope is to focus attention on the efforts required to safeguard individual computers and accounts and secure and protect critical data and infrastructure,” FBI Cyber Division assistant director Matt Gorham said in a statement.
A large part of that focus, as this year’s theme emphasizes, is securing connected devices, said Paige Schaffer, CEO of the Identity and Digital Protection Services Global Unit of Generali Global Assistance, an insurance provider. This also applies to businesses seeking to digitize sensitive records.
“As the number of digital connected devices grows, so does the number of touchpoints. As more of these records become digitized, the opportunities thieves have to steal them increases.”
Getting people’s attention about cybersecurity may be a little easier this year compared to past years, said Lori Page Hall, the information management and governance product marketing director at Micro Focus.
“Awareness around the need for diligent cybersecurity is really becoming a bit more mainstream now.”
—Lori Page Hall
That awareness extends not just to personal and enterprise security, but to infrastructure security as well. “The average person understands that nation-states are targeting the grid,” said Joe Scotto, chief marketing officer at Indegy, which is celebrating NCAM by posting a series of informational videos on YouTube.
What most people don’t know, however, is that “critical infrastructure isn’t just about the grid,” Scotto said. “The same controllers that are in the grid are in a lot of other industries—pharmaceuticals, automotive, transportation, logistics.”
NCAM should prompt you to evaluate your organization’s security approach. Here are the top trends to help you get focused on what matters today.
[ Explore the challenges and opportunities facing SOCs in TechBeacon’s new guide. Plus: Get the 2019 State of Security Operations report. ]
Security and privacy converge
Part of the increase in awareness about cybersecurity is being driven by the convergence of cybersecurity and privacy, said Carole Murphy, senior product marketing manager for Voltage Data Security at Micro Focus.
“We see cybersecurity and data privacy coming together, where they were previously relatively separate. In 2014, people were talking about credit card numbers being stolen. Now you’ve got hundreds of millions of people losing personal identifying information that can lead to stolen identities.”
The severity and size of breaches grow every year. Generali’s Schaffer said that in the last six months alone, we’ve experienced massive data breaches across all industries, from financial institutions to hospitals and everything in between. To put that into perspective, in 2005—when data breaches officially began being tracked—there were just under 70 data breaches reported, she said. That’s about how many breaches now occur every week, she added.
A change in security philosophy is another contributor to the convergence.
For some time now, security pros have recognized that organizations need more than strong perimeter defenses to keep them secure. But now, with a nudge from regulators, they know good walls don’t make good privacy.
“With the addition of privacy regulations on a global scale, just securing the perimeter is no longer enough,” said Micro Focus’ Hall. It’s now more often about controlling access to personal data within the organization, limiting employee access to that data, and not keeping private data in unsecured locations.
“Data is no longer stored in just the corporate network, but in file-sharing services that may not be under the control of the IT department.”
—Lori Page Hall
Murphy explained that changes in data flow across organizations have reduced the effectiveness of siloed security approaches. Not so long ago you could focus on an outside-in defense approach with a firewall, intrusion prevention, and antivirus, she said.
“[Just] protecting data in a database isn’t going to protect you, because a whole lot of your data is sitting on servers or in memory and hasn’t gotten to a database yet.”
Front-line awareness comes to the fore
As in every awareness campaign, enlisting consumers and employees to protect their data and their employer’s data and to report threats remains a cornerstone of the program. “We look to the public and to organizations to engage by understanding these threats, taking preventive action, and reporting cyber crimes when they occur,” the FBI’s Gorham said.
An organization’s ability to secure customer data is only as good as the training and diligence maintained by employees, said Micro Focus’ Hall.
“They often literally have consumers’ data in their hands and need to ensure they are safeguarding that data.”
—Lori Page Hall
She added that more aware consumers are taking steps to protect their data by using multi-factor authentication or payment schemes that protect payment card information, such as PayPal and Apple Pay.
Awareness is important not only for employees but for employers, too, Generali’s Schaffer said.
“All it takes is one employee with the proper credentials to be victimized to compromise the sensitive data held by their employer.”
Also, savvy thieves can create targeted phishing emails that appear to come from an employee’s superior or a consumer’s favorite brand that requests login credentials or to view a file by clicking a link, she said.
The stakes are even higher for employees working with critical infrastructure, added Indegy’s Scotto.
“When you look at awareness on the critical infrastructure side, the concerns are more about productivity loss and physical safety of people. “
[ Effective SecOps requires staying one step ahead. Get up to speed with this Webinar covering UEBA and MITRE ATT&CK ]
Toward continuous awareness
For this year’s NCAM, Generali’s Schaffer said her organization is urging consumers and employees to look beyond awareness and to do something proactive to protect their data.
“These proactive steps can be as simple as frequently and consistently updating passwords—something our survey data shows only about a quarter of users do. There is still a lot of work left to do when it comes to cybersecurity awareness.”
[ Find out how to take control of credentials privilege in your organization in this Oct. 31 Webinar. You’ll learn best practices, more. ]