It’s Cybersecurity Awareness Month, and this year marks the 20th anniversary. It’s a collaboration between the government and businesses to raise awareness about digital security.
The Cybersecurity and Infrastructure Agency (CISA) and the National Cybersecurity Alliance partner to develop resources and communications that organizations can use to talk to employees and customers about staying safe online.
In commemorating the 20th anniversary, those behind it launched a new, year-round campaign around awareness — Secure Our World. The focus of the initiative involves four areas:
- Password security
- Multifactor authentication (MFA)
- Recognition and reporting of phishing
- Updating software
These four components have long been part of cybersecurity best practices. However, they are still the cause of many cyber incidents. According to CISA, more than 90% of cyberattacks start with phishing. Additionally, 63% of social engineering involved compromised credentials. MFA effectively blocks most cyberattacks, but it’s not impenetrable. It just takes hackers longer.
Not regularly updating and patching software continues to be a common root cause for hacks. You’d find these things in a vulnerability assessment, but if your company doesn’t initiate these, the risk heightens.
Most of today’s modern problems regarding cyber risk and the themes of National Cybersecurity Awareness Month have a common weak link — people. Human error or compromise remains the biggest threat.
So, with 20 years of these awareness events, have they made a difference? And what do we still need to do?
The Four Pillars of National Cybersecurity Awareness Month
We’ve discussed the ongoing concerns and challenges of the four pillars, but what are the current messages on these?
The general rules about passwords still apply. They should be unique for every account, at least 16 characters long, and random with letters, numbers, and special symbols. So, why don’t people follow these simple rules you likely have as part of your policy?
Most people have password fatigue. With all the logins they have at work and their personal life, remembering all of them is difficult. The resolution is to provide employees access to a password manager and make it mandatory.
MFA is the safety net should a password become compromised. For any SaaS applications, those your workers use and your own for customers, you should use MFA. You can use MFA in three ways:
- Sending codes via text or email
- Using an authenticator app that generates codes
- Biometrics, such as facial recognition or fingertips
Recognition and Reporting of Phishing
Phishing is a central piece of most businesses’ cybersecurity training for employees. It’s typically a module within learning requirements. Hackers are much more sophisticated now in their phishing attempts, so the emails, messages, or texts can be harder to discern as fake. Cybercriminals are using artificial intelligence (AI) tools to spin out more phishing attacks.
The same signs of phishing are still present — urgency to reply, requests for financial or personal information, untrusted shortened URLs, and incorrect email addresses off by a letter or two.
IT teams periodically test these with employees to determine how they react when something lands in their inbox. Expanding this further by hiring a cyber firm to commence phishing exercises can reveal even more. They can actually simulate attacks that follow the same steps as hackers, including using social engineering to find out information about your users. Then, they craft scenarios for different individuals, using multiple tactics to target your staff.
These phishing exercises are the best way to test the people component. A report comes from these efforts and identifies who took the bait.
Not updating applications can be an opportunity for hackers. Turning on automatic updates makes this much easier. A growing concern around this is shadow IT. In large enterprises, employees may use SaaS applications without IT knowledge. A recent report on healthcare cloud adoption found that 74% of IT workers were worried about it.
Another problem is legacy systems, which are prevalent in healthcare and other industries. Software providers often sunset applications, meaning no new updates are coming. When this occurs, decommissioning and migration of data should be a priority.
In looking at these areas of cybersecurity and the impact of National Cybersecurity Awareness Month, the National Cybersecurity Alliance released its annual Cybersecurity Attitudes and Behaviors Report.
Findings from the 2023 Annual Cybersecurity Attitudes and Behaviors Report
Here are some key insights from the report:
- 84% of respondents said security is a priority, with 69% believing it’s achievable.
- 39% of people feel frustrated by online security.
- Only 26% of those surveyed said they had access to and used cybersecurity training.
- Most (84%) of those using training find it useful, recognizing and reporting phishing as their biggest takeaway.
- 38% of people said they use unique passwords across sites all the time.
- 12% use password managers.
- 30% of survey takers have never heard of MFA.
Overall, the findings indicated improvements in cybersecurity awareness. However, gaps remain in cyber knowledge and application in scenarios. A concerning statistic is that only a quarter of people say they engage in training. It’s a mandatory part of many organizations, often due to regulatory requirements like HIPAA in healthcare.
Any industry should make this a priority. As we’ve discussed, the leading reason for cyber incidents goes back to people. Ensuring they have consistent education and undergo tests to validate their learnings is essential to mitigating risk. Beyond this, there are several other ways to improve cybersecurity.
Two Key Things Every Organization Needs to Support Cybersecurity
Any company that wants to be proactive about cybersecurity and live the values of Cybersecurity Awareness Month should use vulnerability assessments and pen tests.
Why Vulnerability Assessments?
Vulnerability assessments evaluate all your assets to find missing patches and configurations. A vulnerability could be code flaws or bugs. Such an exercise, performed by a third party, provides a review of all weaknesses and their classification as:
- Critical — the most urgent requiring immediate attention
- High — the next highest priority on your remediation roadmap
- Medium — less risky but should still be on your fix list
- Low/informational — cautionary but not urgent vulnerabilities
These categorizations come from three things: how likely a hacker is to exploit it, its severity, and what it provides to a cybercriminal.
A vulnerability assessment can be network-, application-, or host-based.
- Network-based: Scanning geographically distributed machines and applications is the focus of this assessment. Those conducting it are looking for security gaps in network systems. They analyze devices on the network, hunting for compromised passwords. The exercise also evaluates your system’s ability to respond to attacks.
- Application-based: Assessors probe the application layer in this method. The goal is to detect any misconfigurations or common weaknesses of the applications.
- Host-based: This assessment includes scanning to review machine weaknesses, including network hosts, workstations, and services. The outcome is a determination of whether systems are in alignment with your security standards and protocols.
Vulnerability assessments allow you to minimize risk, meet compliance requirements, and resolve issues.
They work best in concert with pen tests.
Why Pen Tests?
Penetration tests simulate cyberattacks carried out by ethical hackers you hire. Pen tests go further than vulnerability assessments. They identify weaknesses and then attempt to exploit them, as cybercriminals would. Teams use the same techniques and tools as real hackers.
Pen tests have different levels, methods, and types.
Pen test levels:
- Black Box Penetration Testing (or Opaque Box): Testers have no information about the internal structure of the target system. They operate like hackers would, scanning for weaknesses.
- Gray Box Penetration Testing (or Semi-Opaque Box): Those testing have some knowledge of the target system, such as data structure, code, or algorithms. They may also have credentials to penetrate through use cases regarding the architectural diagram of the system.
- White Box Penetration Testing (or Transparent Box): Ethical hackers have access to systems and artifacts and may be able to enter servers running the system.
Pen test methods:
- External testing: Testers target visible assets of an organization (e.g., web applications, company website, email, and domain name servers), attempting to gain access and extract data.
- Internal testing: This option happens behind the firewall to mimic what could happen after a human error incident, such as credentials stolen through phishing.
- Blind testing: A blind test is when a tester only has the company’s name. It’s like a real-time scenario of what an application assault would look like.
- Double-blind testing: A double-blind test is when internal cyber teams are unaware of the exercise. They’d then respond to the threat immediately.
- Targeted testing: Ethical hackers and IT work together in this simulation. It’s an excellent way to train employees and get feedback from testers.
Pen tests can evaluate many things, including web applications, network security, cloud security, IoT security, and social engineering. The value of regularly doing these is that you become aware of issues before cybercriminals do. You receive a report from the firm performing the work that defines all the problems and what to do to fix them.
When they are an ongoing part of your cybersecurity program, you can be more proactive and understand the threat landscape much better.
Cybersecurity Must Be an Always-On Initiative
To reach the highest levels of cybersecurity, working with a trusted third party for vulnerability assessments and pen tests is vital. If you’re looking for a partner, we’d love to help. Contact us today to learn more.