In the wake of the Facebook Breach that exposed the personal information of approximately 50 million users, National Cybersecurity Awareness Month serves as yet another reminder of just how successful cybercriminals can be and, more importantly, just how integral cybersecurity has become both for organizations and individuals.
Towards individuals, the general message has remained much the same, regularly change your passwords, create backup accounts and ensure your computers and software are kept up to date. Where the message has evolved continuously is the business side of the equation. There are some that would argue that one of the most significant challenges modern businesses are facing is they simply are not putting security as a priority.
“National Cybersecurity Awareness Month isn’t just about understanding the risks, but also emphasizing our collective power to combat them.” Matt Gorham, Assistant Director, FBI Cyber Division
Cybersecurity is generally not something businesses want to invest in; it is something they have to invest in. As a result of this mindset, a large percentage of cybersecurity efforts are driven by a company breach or government regulation obligating them to make an effort. Where this effort initially falters is organizations make the mistake of relying on such regulations with such fixed emphasis, that they neglect to remain current with the ever-evolving threat landscape, and keeping up with what hackers are actually targeting, a vital mistake.
Fortunately, cybercrime is a media-gruel; tech-savvy reporters are always looking to report on the latest shifts in cybercrime attack methodologies. Thus, if your organization’s security staff are keen enough to be paying attention, you have the distinct advantage of being able to learn what those threats are, and how to prepare and improve your organization’s cybersecurity postures against them. The only problem with this is, it requires consistent and unwavering attention to the latest trends and associated fixes.
The Weakest Link
Naturally, most attackers will seek out the path of least resistance. Of late, the focus appears to be shifting toward servers and individuals. Individuals, after all, cannot be patched, and this is why there has been a distinct uptick in the appearance phishing campaigns and other forms of social engineering.
Phishing is the fraudulent practice of sending emails purporting to be from a reputable source in order to induce individuals to reveal personal information, such as passwords, usernames and credit card information.
Social Engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes.
Cybercriminals are aware that the weakest link in the chain is people. Employees are still clicking where they should not, using predictable passwords, recycling passwords and uploading sensitive data where they shouldn’t. To add insult to injury, there is an extreme shortage of skilled, and more importantly, experienced cybersecurity professionals worldwide. The vast majority of security analysts, working in organizations, have never experienced a live, real-world attack and as a result, most businesses remain grossly unprepared.
Awareness and Mandatory Regulation
With the recent regulation efforts, including GDPR and the new Canadian Breach Reporting Laws going into effect as of November 2018, it is more important than ever that information security professionals are looking very closely at what is, and what is not working for their organizations: Are they doing enough, and the right kind of awareness training? Are they bringing in the right third-party vendors to perform regular penetration testing?
For more information on Choosing a Penetration Testing Company, or to learn more about the services that would best suit your organization, please review our website and contact us for in-depth information on how to prepare your organization.
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications