Cybersecurity should be a concern for all businesses — large and small. Cybersecurity also should be a concern for consumers, government agencies, and basically anyone who relies on the Internet in our increasingly connected world.
To cite two high-profile examples of mass cybercrime, some 3 billion Yahoo accounts were hacked in 2016, and 412 million Friendfinder accounts were compromised in 2017, according to cybersecurity research firm Varonis.
The average cost of a malware attack was US$2.4 million, while the cost in lost time averaged 50 days, the firm found. Even more worrisome, the average cost of global cybercrime increased by 27 percent in 2017, with ransomware costs exceeding $5 billion that year — 15 times higher than ransomware costs just two years previously.
The problem is that far too many people still disregard the threats.
“Yes, we should definitely be thinking about cybersecurity all the time,” said Elad Shapria, head of research at cybersecurity firm Panorays.
“We should be thinking about it at least as often as we use our smartphones, computers, and any devices that connect to the Internet, which is pretty much every minute of the day,” he told TechNewsWorld. “But because connecting to the Internet and sharing data is so much a part of our lives, we tend to push their ramifications to the back of our minds.”
Fortunately there are efforts to focus attention on the threatscape in the hope that knowing truly is half the battle. A spotlight will shine on many of those efforts in October, which is National Cyber Security Awareness Month, or NCSAM. The National Cyber Security Division of the Department of Homeland Security and the nonprofit National Cyber Security Alliance joined to designate the month as a way to raise awareness about the importance of cybersecurity.
NCSAM first launched in 2004 as a part of a broad effort to educate Americans and help them stay safe and secure online. Initial efforts touted simple things people could do, such as keeping antivirus programs up to date. The goal was to remind consumers to do cybersecurity updates in October — similar to remembering to change batteries in a smoke detector when they set their clocks back in fall or forward in spring.
“It grew out of the earlier awareness efforts by NCSA, working in conjunction with industry and government partners,” said Kelvin Coleman, executive director of NCSA.
In more recent years the efforts have expanded, and since 2009 the month has included the overall theme, “Our Shared Responsibility,” to reflect how everyone — from large companies to individual computer users — plays a role in securing digital assets.
“We want people to understand that cybersecurity is a shared responsibility, because what we do online can affect others,” Coleman told TechNewsWorld.
“When that employee opens a bad link on their office email, it could have wider repercussions for the company and put everyone at risk,” he added.
“We have found that this ongoing outreach to various target audiences really works well,” said Coleman. “In addition to sharing information with the media, we disseminate materials and resources via our partners, who represent industry, government, small and mid-sized businesses and academia, so our message is spread widely through various channels, reaching a broad group.”
For 2019 the overarching message of NCSAM is “Own IT. Secure IT. Protect IT.” The goal this year is to focus on key areas related to citizen privacy, consumer devices, and e-commerce security.
“It’s important to designate times, such as National Cybersecurity Awareness Month, to remind ourselves what we are facing and how we can be vigilant,” said Panorays’ Shapria.
“One significant problem is that we keep seeing devastating third-party data breaches,” he noted.
These attacks can often occur when hackers target vendors with the goal of accessing the data of the large companies the vendors are connected to or otherwise work with.
“We saw this happen this year with Wipro, Evite and AMCA — and such cyber incidents can result in lost consumer confidence and loyalty, costly regulatory penalties for the companies, and even bankruptcy,” warned Shapria.
What shouldn’t be part of the solution is the assumption that employees at any level understand the threat. This all too often can lead to lax security behaviors.
“What is obvious is usually subjective. Businesses must recognize that employee awareness and training for cybersecurity threats is a key part of how they can mitigate the inadvertent or deliberate employee breach,” said Justin Fox, director of DevOps engineering at NuData Security, a Mastercard company.
“Employees need to be trained on what security warnings are legitimate warnings they should care about, versus ads that look like a warning,” he told TechNewsWorld.
“Employees need to understand how the business has implemented their security protocols and [be educated] in some of the most common messages they may receive from security software,” Fox added. “Then they’re likely to understand how to respond to threats correctly.”
Shared Data, Shared Responsibly
The daily sharing of data has complicated matters when it comes to cybersecurity. In addition to worrying about protecting their own data, everyone now must trust every company, vendor, client, employer and employee to protect their data as well.
“Businesses need to be aware that when they hire and share data with vendors, they are greatly increasing the risk of being breached through those vendors,” suggested Panorays’ Shapria.
Companies must thoroughly assess and continuously monitor their vendors’ cyber posture with the same diligence that they monitor their own computers, networks and systems.
Simply put, everyone needs to recognize the severity of the ongoing threat.
“Consumers need to be aware so that they can understand what companies are doing with their data and demand stronger controls,” said Shapria.
“C-level execs need to be aware since security directly affects the cost of doing business, while employees need to be aware so that they don’t expose their companies to cyber risk,” he added. “Developers need to be aware so that they can program solutions that are secure, and network administrators need to be aware so they can safeguard their companies and customer data.”
Failure to Act
The costs of failure to heed warnings can be massive — not only in dollars but in wasted time, lost productivity, and even the social stigma that can accompany hacks. Cities such as Baltimore and Atlanta, companies such as Target and Yahoo, and even government agencies such as the Office of Personnel Management have had to respond to significant cyberattacks.
The danger is getting so bad that eventually the Internet, which has become the glue that holds the connected world together, could fail to the point that it couldn’t be trusted.
“Who is going to want to use [the Internet] if all your records become open fodder and can be so easily accessed by hackers?” pondered Daniel M. Gerstein, Ph.D., senior policy researcher at the RAND Corporation.
“If we can’t get our act together and truly address this issue, the current Internet could eventually become little more than a simple sharing platform for information,” he told TechNewsWorld.
The Internet may not go away, but if data isn’t secure there could be a future when it is relied on only for streaming Netflix and looking up facts on Wikipedia. That scenario might seem extreme, but the Web could be just one major breach away from a breaking point.
“We need to be serious about security, and there are ways to protect it, but right now the average consumer basically could become road kill on the information superhighway,” warned Gerstein.
There’s hope that persistent awareness-raising efforts will pay off.
“We have found that this ongoing outreach to various target audiences really works well,” said NCSA’s Coleman. “In addition to sharing information with the media, we disseminate materials and resources via our partners, who represent industry, government, SMBs and academia, so our message is spread widely through various channels, reaching a broad group.”