It’s time to celebrate National Cybersecurity Awareness Month again. Let’s look at what happened since we last honored this “holiday.”
We started 2018 with over three million records breached from Jason’s Deli; moved into spring with five million records from Saks/Lord&Taylor and 37 million from Panera Bread restaurants. May saw breaches from fitness tracking company PumpUp and clothing retailer UnderArmor. July was a new low point with breaches from Ticketfly, the Sacramento Bee newspaper chain, and MyHeritage. And let’s not forget Exactis with 340 million records placed online.
Even with this list, I haven’t accounted for many other breaches of the past year, including the various data leaks generated when the companies put cloud storage buckets online unprotected. A single check box and the data in all of these situations would have been easily secured.
Of course, who doesn’t remember Facebook’s woes, which thanks to Cambridge Analytica, divulged information on more than 100 million accounts. And if we look beyond private data leaks, we find the City of Atlanta learned an expensive lesson – their backups were worthless after being hit by a ransomware attack. This cost them nearly their entire annual IT budget.
With security awareness, you are only as good as yesterday’s response. Every day, someone tries to leverage their way into your network, your data and your corporate reputation. Every day, your network is bombarded with thousands of phishing attempts. Someone is sending multiple emails with infected attachments; hackers continuously try reused or common passwords, and create new blended threats that we don’t even know how they are constructed. Every day, users attach infected phones and laptops to your network that can serve as new entry points for attacks. Do you really want to take a moment and celebrate? Go right ahead. Have a piece of cake.
Or we can get to work and make October more meaningful. Let’s use this month to do something positive about security awareness that lasts more than just a few days and a few meek attempts. It is time to make security awareness a year-round event. And this isn’t just for the IT department, or your security staff, but something that must happen across the board. Here are a few tips to get started.
Make a goal that this time next year will be the time when all your users have embraced Multi-Factor Authentication (MFA) or Fast Identity Online (FIDO) for their business-critical logins. The tools are getting better, FIDO is supported by more products, and even Facebook, Google and Twitter now support MFA logins. Many of the breaches mentioned above would not have happened, or had less impact, had accounts been properly secured with multiple authentication methods.
Use this MFA effort as a more complete assessment of your identity and access management strategy. Examine what you are doing and whether any of the newer technologies – such as adaptive authentication and better risk assessments — can improve your login security.
Learn from Atlanta’s woes and make sure your backups are useful. Spend time ensuring you can reconstruct your servers if anything unfortunate happens – from a disk crash to a ransom attack. Not too long ago, I experienced two hard drive crashes in a single week. While I didn’t lose any data, thankfully, I did lose a lot of time getting equipment back up and running. And I learned how to improve my recovery procedures a bit better, too. You should conduct regular disaster recovery exercises to see what happens when parts of your network, or particular servers, are taken offline. How long does it take you to recover from these events? Everyone can benefit from more resilient operations.
Review your cloud storage buckets for unintended data leaks. There are numerous security tools to help you assess your storage buckets and ensure they are properly protected rather than being sitting ducks online.
Do continuous user awareness training. There are many vendors able to help with putting together a program. The trick is not doing so just once a year, but on a continuous basis. Think about how you can offer incentives to your users, not just make the training onerous and, thereby, ineffective. One vendor offers a program that performs assessment, education, reinforcement, and measurement in a continuous cycle.
Go back to security school. Various vendors offer plenty of training for security staff to brush up on their techniques and tools. We all need refreshers to stay current with what the bad guys are constantly cooking up.
It’s time we realized that security awareness needs to be a year-long focus and not just one-and-done.
This post was sponsored by RSA, but the opinions are my own and do not necessarily represent RSA’s positions or strategies.
# # #
To learn more about National Cybersecurity Awareness Month, or the sponsor organization, the National Cybersecurity Alliance, follow them on Twitter at @StaySafeOnline, and join the social media discussion by using the hashtag, #CyberAware.