In the United States and beyond, concern about the potential for cyber attacks continues to build following the Russian invasion of Ukraine. Recently, President Biden warned about the risk, and cybersecurity experts advised people to start preparing for the possibility of a cyber attack.
While there is no imminent threat today, there is also no denying the possibility of significant cybersecurity consequences resulting from the invasion—even for countries and companies not directly impacted by events in Ukraine. After all, when a nation-state releases malware into the wild, the malware can attack anything—not just its intended target (case in point: NotPetya).
But whether or not the world’s worst cyber fears are realized, the looming threat underscores the essential roles of cybersecurity awareness and education in helping defend against potential danger.
Understanding how cyber attacks work and how to protect against them is not just the province of IT security professionals; cybersecurity is something we all need to know about, to varying degrees. At every level—from an individual being targeted by a phishing email, to a board-level executive contemplating a cybersecurity investment, to a network analyst actively looking for signs of an in-progress or imminent attack—action begins with awareness. We all need to be able to understand in the context of our own experience what creates risk, what constitutes a threat and what to do in the presence of either.
“I would say the key thing is to be proactive,” said Jim Taylor, SecurID Chief Product Officer, in the recent online discussion A Conversation About Key Cybersecurity Practices To Adopt During a Geopolitical Crisis.
“If you’re a CISO, educate yourself and your team about current, evolving and potential threats, and teach users how to develop good practices. Make things relatable, so people who aren’t security professionals understand why downloading personal photos to your work laptop could be dangerous, for example.”
Security professionals have plenty in their arsenals to fight back against an identity-based cyber attack, with multi-factor authentication (MFA), identity governance and other capabilities at their disposal.
But those resources are only as effective as the knowledge and actions backing them up. That’s why cybersecurity awareness and education are critical for all the people who aren’t on the security team, from executives to hourly workers.
For example, decision-makers at the executive or board level need to understand why it’s critical to invest in and prioritize certain capabilities so that they can make policy and funding decisions that will help keep their organizations secure. Remember, hackers got into Colonial Pipeline through an inactive account that wasn’t protected by MFA. And remember that DarkSide didn’t shut off gasoline production—they encrypted the company’s billing infrastructure, which led Colonial Pipeline to deactivate production. A disruption in one part of a business could cascade into and affect others.
Beyond the board level, everyone in an organization should understand why they need to adopt a security mindset at work, even if—perhaps especially if—they’re not on the security team. Awareness across the entire organization is what gets phishing emails reported instead of opened and stops attacks before they start.
Cybersecurity at work is important, but these days, work extends far beyond the traditional workplace. Maintaining risk awareness and knowing how to address it need to be as much a part of everyday home life as of work life. And it’s not just working at home that has expanded the cybersecurity risk area. For example, one of the impacts of the pandemic was that children were unable to go to school—so they went online at home, putting a significantly vulnerable population at risk.
“Our digital journey is outpacing our ability to secure it,” said Jim Taylor. “There’s nothing good about the current cybersecurity situation, but it is driving awareness and making us have the conversations about security that we need to have.”
Another example of cybersecurity risk beyond the traditional workplace is IoT risk. While there are great benefits to everything the IoT enables, from self-driving cars to smart homes, there is also risk. What if, for example, a threat actor takes over a connected car and disables the brakes? What if someone hacks into a connected home device and uses it as way into a critical system?
“There’s a lot to think about, but the more awareness around it, the better equipped we are to deal with it,” Jim Taylor noted. “As someone once said, the best dollar you’ll ever spend on security is spent on education.”
Watch the webinar on-demand: “A Conversation About Key Cybersecurity Practices To Adopt During a Geopolitical Crisis”