Cybersecurity should be a concern for all businesses — large andsmall. Cybersecurity also should be a concern for consumers, government agencies, and basically anyone who relies on the Internet in our increasingly connected world.
To cite two high-profile examples of mass cybercrime, some 3 billion Yahoo accounts were hacked in 2016, and 412 million Friendfinder accounts were compromised in 2017, according to cybersecurity research firm Varonis.
The average cost of a malware attack was US$2.4 million, while the cost in lost time averaged 50 days, the firm found. Even more worrisome, the average cost of global cybercrime increased by 27 percent in 2017, with ransomware costs exceeding $5 billion that year — 15 times higher than ransomware costs just two years previously.
The problem is that far too many people still disregard the threats.
“Yes, we should definitely be thinking about cybersecurity all the time,” said Elad Shapira, head of research at cybersecurity firmPanorays.
“We should be thinking about it at least as often as we use oursmartphones, computers, and any devices that connect to the Internet,which is pretty much every minute of the day,” he told TechNewsWorld.”But because connecting to the Internet and sharing data is so much apart of our lives, we tend to push their ramifications to the back ofour minds.”
Fortunately there are efforts to focus attention on the threatscape in the hope that knowing truly is half the battle. A spotlight will shine on many of those efforts in October, which is National Cyber Security Awareness Month, or NCSAM. TheNational Cyber Security Division of the Department of HomelandSecurity and the nonprofit National Cyber Security Alliance joined to designate the month as a way to raise awareness about the importance of cybersecurity.
NCSAM first launched in 2004 as a part of a broad effort to educateAmericans and help them stay safe and secure online. Initialefforts touted simple things people could do, such as keepingantivirus programs up to date. The goal was to remind consumersto do cybersecurity updates in October — similar to remembering to changebatteries in a smoke detector when they set their clocks back in fall orforward in spring.
“It grew out of the earlier awareness efforts by NCSA, working inconjunction with industry and government partners,” said KelvinColeman, executive director of NCSA.
In more recent years the efforts have expanded, and since 2009 themonth has included the overall theme, “Our Shared Responsibility,” to reflect how everyone — from large companies to individualcomputer users — plays a role in securing digital assets.
“We want people to understand that cybersecurity is a sharedresponsibility, because what we do online can affect others,” Colemantold TechNewsWorld.
“When that employee opens a bad link on their office email, it couldhave wider repercussions for the company and put everyone at risk,” headded.
“We have found that this ongoing outreach to various target audiencesreally works well,” said Coleman. “In addition to sharing informationwith the media, we disseminate materials and resources via ourpartners, who represent industry, government, small and mid-sized businesses and academia, so our message is spread widely through various channels, reaching a broadgroup.”
For 2019 the overarching message of NCSAM is “Own IT. Secure IT.Protect IT.” The goal this year is to focus on key areas related to citizen privacy, consumer devices, and e-commerce security.
“It’s important to designate times, such as National CybersecurityAwareness Month, to remind ourselves what we are facing and how we canbe vigilant,” said Panorays’ Shapira.
“One significant problem is that we keep seeing devastatingthird-party data breaches,” he noted.
These attacks can often occur when hackers target vendors with thegoal of accessing the data of the large companies the vendors areconnected to or otherwise work with.
“We saw this happen this year with Wipro, Evite and AMCA — and suchcyber incidents can result in lost consumer confidence and loyalty,costly regulatory penalties for the companies, and even bankruptcy,”warned Shapira.
What shouldn’t be part of the solution is the assumption thatemployees at any level understand the threat. This all too often canlead to lax security behaviors.
“What is obvious is usually subjective. Businesses must recognizethat employee awareness and training for cybersecurity threats is akey part of how they can mitigate the inadvertent or deliberateemployee breach,” said Justin Fox, director of DevOps engineering atNuData Security, a Mastercard company.
“Employees need to be trained on what security warnings are legitimatewarnings they should care about, versus ads that look like a warning,”he told TechNewsWorld.
“Employees need to understand how the business has implemented theirsecurity protocols and [be educated] in some of the most commonmessages they may receive from security software,” Fox added. “Thenthey’re likely to understand how to respond to threats correctly.”
Shared Data, Shared Responsibly
The daily sharing of data has complicated matters when it comesto cybersecurity. In addition to worrying about protecting their own data, everyone now must trust every company, vendor, client, employer and employee to protect their data as well.
“Businesses need to be aware that when they hire and share data withvendors, they are greatly increasing the risk of being breachedthrough those vendors,” suggested Panorays’ Shapira.
Companies must thoroughly assess andcontinuously monitor their vendors’ cyber posture with the samediligence that they monitor their own computers, networks and systems.
Simply put, everyone needs to recognize the severity of the ongoing threat.
“Consumers need to be aware so that they can understand what companiesare doing with their data and demand stronger controls,” said Shapira.
“C-level execs need to be aware since security directly affects thecost of doing business, while employees need to be aware so that theydon’t expose their companies to cyber risk,” he added. “Developersneed to be aware so that they can program solutions that are secure,and network administrators need to be aware so they can safeguardtheir companies and customer data.”
Failure to Act
The costs of failure to heed warnings can be massive — not only indollars but in wasted time, lost productivity, and even the socialstigma that can accompany hacks. Cities such as Baltimore andAtlanta, companies such as Target and Yahoo, and even governmentagencies such as the Office of Personnel Management have had torespond to significant cyberattacks.
The danger is getting so bad that eventually the Internet, which hasbecome the glue that holds the connected world together, could fail tothe point that it couldn’t be trusted.
“Who is going to want to use [the Internet] if all your recordsbecome open fodder and can be so easily accessed by hackers?” ponderedDaniel M. Gerstein, Ph.D., senior policy researcher at the RAND Corporation.
“If we can’t get our act together and truly address this issue, thecurrent Internet could eventually become little more than a simplesharing platform for information,” he told TechNewsWorld.
The Internet may not go away, but if data isn’t secure there couldbe a future when it is relied on only for streaming Netflix and looking up facts on Wikipedia. That scenario might seem extreme, but the Webcould be just one major breach away from a breaking point.
“We need to be serious about security, and there are ways to protectit, but right now the average consumer basically could become road kill on the information superhighway,” warned Gerstein.
There’s hope that persistent awareness-raising efforts will pay off.
“We have found that this ongoing outreach to various target audiencesreally works well,” said NCSA’s Coleman. “In addition to sharinginformation with the media, we disseminate materials and resources viaour partners, who represent industry, government, SMBs and academia,so our message is spread widely through various channels, reaching abroad group.”