Yes, just like last October, this month we celebrate National Cybersecurity Awareness Month. So let’s look at what happened in the past year since we last honored this manufactured “holiday.”
We started off 2018 with more than three million records breached by Jason’s Deli, moved into spring with five million records from Saks/Lord&Taylor and 37 million care of Panera Bread restaurants. May saw breaches from fitness tracking company PumpUp and clothing retailer UnderArmor. July was a new low point with breaches from Ticketfly, the Sacramento Bee newspaper chain, and MyHeritage. And let’s not forget Exactis with 340 million records placed online.
Even with this list, I am sure that I haven’t even accounted for many other breaches of the past year, including the various data leaks from GoDaddy, LevelOne Robotics, Nice Systems, Los Angeles’ 211 service center, Localblox, Octoly and Viacom. These and many others put unprotected AWS S3 storage buckets online and forgot to secure them. All it took was a single check box and the data in all of these situations would have been easily secured.
Of course, who doesn’t remember Facebook’s woes, which thanks to Cambridge Analytica divulged more than 100 million of our accounts. And if we look beyond just private data leaks, who could forget the City of Atlanta finding out their backups were worthless after being hit by a ransomware attack. This resulted in the spending millions of dollars, eventually close to their entire annual IT budget to learn that lesson.
With security awareness, you are only as good as yesterday’s response. Every day, someone is trying to leverage their way into your network, your data and your corporate reputation. Every day, your network is being bombarded with thousands of phishing attempts. Someone is sending multiple emails with infected attachments; hackers are continuously trying reused or common passwords, and coming up with new blended threats that we don’t even know how they are constructed. Every day, users are attaching infected phones and laptops to your network that can serve as new entry points for attacks. So do you really want to take a moment and celebrate? Go right ahead. Go have a piece of cake.
But let’s get down to work and make October more meaningful. Let’s use this month to try to do something positive about security awareness that can last more than just a few days and a few meek attempts. It is time to make security awareness a year-round event. And this isn’t just for the IT department, or your security staff, but something that has to happen across the board. Here are a few tips to get started.
Make a goal that this time next year will be the time when all of your users have embraced MFA or FIDO for their business-critical logins. The tools are getting better, FIDO is being supported with more products, and even Facebook and Google and Twitter now support MFA logins. Many of the breaches mentioned above would have not happened, or have had less impact, had accounts been properly secured with multiple authentication factors.
Use this MFA effort as a more complete assessment of your identity and access management strategy. Examine what you are doing here and whether any of the newer technologies – such as adaptive authentication and better risk assessments — can improve your login security.
Learn from Atlanta’s woes and make sure your backups are actually useful. Spend some time ensuring that you can reconstruct your servers in case of anything unfortunate happens from a disk crash to a ransom attack. Not too long ago, I had two hard drive crashes on my equipment in a single week. I didn’t lose any data, thankfully – but I did lose a lot of time in getting both PCs back up and running. And I learned how I can improve my recovery procedures a bit better too. You should conduct regular disaster exercises to see what happens when parts of your network or particular servers are taken offline, and how long it takes you to recover from these events. Everyone can benefit from more resilient operations.Review your cloud storage buckets for unintended data leaks. There are numerous security tools (if we can mention RiskIQ’s CloudGoat) that can help you assess your storage buckets and ensure that they are properly protected and not sitting ducks online.
Do continuous user awareness training. There are many vendors that can help with putting together a program. The trick is not doing so just once a year, but on a continuous basis. Think about how you can offer incentives to your users, not just make the training onerous and thereby ineffective. One vendor offers a program that performs assessment, education, reinforcement, and measurement in a continuous cycle.
Go back to security school. Folks like SANS offer plenty of training for security staff to brush up on their techniques and tools. We all need refreshers to stay current with what the bad guys are constantly cooking up.
It’s time we realized that security awareness needs to be a year-long focus and not just one-and-done.