38 Cybersecurity Awareness Month Quotes from Industry Experts in 2023

For Cybersecurity Awareness Month, the editors at Solutions Review have compiled a list of comments from some of the top leading industry experts.

As part of Cybersecurity Awareness Month, we called for the industry’s best and brightest to share their comments. The experts featured represent some of the top Cybersecurity solution providers with experience in these marketplaces, and each projection has been vetted for relevance and ability to add business value.

A number of thought leaders were presented with this prompt: What are some overlooked cybersecurity best practices people take for granted/easily forget? Things that might be obvious to experts but not to the average enterprise user. Or best practices that are so obvious when you say them out loud, but are often forgotten.

Here’s how they responded, along with some general responses from other experts and thought leaders, for Cybersecurity Awareness Month.

37 Cybersecurity Awareness Month Quotes from Industry Experts in 2023

Éric Leblond, Co-Founder and Chief Technology Officer at Stamus Networks

A frequently underestimated and sometimes undervalued component of enterprise security is the pivotal role of network detection and response (NDR) systems. Frequently, security teams opt to implement an endpoint detection and response (EDR) system as their initial enterprise-wide threat detection technology and later introduce (NDR) if and when budget allows. And while EDR can play a crucial role in detecting and responding to specific threats within an organization, it comes with some limitations including the inability to install EDR on every single endpoint, the ability for threat actors to evade endpoint agents, and the ability for mechanisms like DNS tunneling to remain concealed from endpoint detection systems.

Organizations should consider these limitations when implementing EDR solutions and should consider integrating EDR with NDR to unite endpoint-level data with network-level data to enhance the overall threat detection capabilities of both systems.

By combining endpoint telemetry with network traffic analysis, organizations can detect advanced threats that span across multiple devices and network segments. Additionally, the contextual information provided by both EDR and NDR enhances incident response capabilities, enabling faster and more accurate response to security incidents.

Sanjay Bhakta, VP of Solutions at Centific

One of the most often overlooked cybersecurity best practices is software updates and upgrades to IT systems, devices, and browsers. Consumers and businesses alike may benefit by updating and upgrading their browsers, system patches, operating systems, and applications. The infamous WannaCry ransomware is an example of the ramifications that could have been prevented with the software update made available weeks prior to the exploitation from the malware attack. Caveat emptor, regarding emails indicating compromised security vulnerability or URLs that automatically update their software across their devices by providing a simple login and password. Obviously, the latter is more of a phishing attack.

There’s an opportunity cost of updating software immediately or delaying the decision. Unfortunately, the average person deprioritizes updates, attributing a lower probability of occurrence for an attack. Updates are perceived as disruptive to the fabric of our daily routines, equating it to time, effort, and/or money involved. From experimentations, it appears only 17 percent of users on average install updates on the day they’re available, 53.2 percent install within one week, with the rate significantly declining after 102 days, while 35 percent of experts consider updates as one of the top three actions performed to stay safe.

Consumers and businesses may opt-in for automated updates, more importantly digital citizens should be educated on the sources and rational of updates, such as visiting CISA, MITRE ATT&CK, NCA, Norton, NSA, as well as subscribing to notifications or alerts from the state government(s), financial services provider, network provider, retailer, and/or telecom or mobile provider. Businesses should further institutionalize a rigorous SecOps practice, interleaving proactive tactics using AI and Gen AI for predicting security vulnerabilities, ethical hacking, and social engineering measures, solidifying their effectiveness.

Dan Draper, Founder and CEO of CipherStash

Very few companies actually protect data– they only protect the systems, such as databases and warehouses, where data is stored. The problem is that data never stays in one place for very long. Data science teams run reports, DevOps teams export and load data into multiple different systems, and eventually sensitive data ends up in a spreadsheet on an executive’s laptop. Because 82 percent of data breaches start with an attack on an individual, applying protections at the system level is quite simply not sufficient to prevent breaches. Protecting data directly using encryption-in-use technology ensures that access controls remain in place, even as data moves across the organization. It hasn’t been practical in the past but technology is now at the point where there are really no excuses for implementing data-level protections.

Igor Volovich, VP of Compliance Strategy at Qmulos

Compliance, often relegated to a retrospective check-box exercise, actually holds untapped potential as a real-time risk intelligence source. In the rush to adopt the latest cybersecurity tools, many organizations overlook the strategic advantage of leveraging the consistency and breadth of compliance frameworks. By embracing compliance automation, we can operationalize this function, bringing it in sync with real-time security operations and threat intelligence. This not only provides a holistic view of the organization’s security posture but also eliminates the subjectivity that often clouds security strategy decisions. It’s a simple truth: When we align compliance with our real-time cybersecurity efforts, we transform it from a mere regulatory obligation to a proactive, strategic powerhouse.

The cyber landscape is vast, intricate, and constantly evolving. CISOs today face an overwhelming challenge: they’re expected to balance priorities across business objectives, risk management, security imperatives, compliance demands, and regulatory mandates, all while contending with adversaries wielding asymmetric threats of escalating scale and complexity. In this high-wire act, consistency in executive decision-making often falls by the wayside, leading to reactive strategies and misaligned resource allocations. The prevailing focus on the latest security trends and the reactive nature of many strategies only adds to the quandary. However, what’s frequently overlooked is the comprehensive nature of compliance frameworks. These frameworks, if leveraged correctly, can cut through the chaos and provide a grounded, consistent lens to view and manage cyber risks. Transitioning from viewing compliance as just a historical reporting obligation to using it as a real-time enterprise risk posture analytics tool can be transformative. With compliance automation at the helm, CISOs can gain the clarity and insight they need for data-driven, proactive decision-making, and strategic alignment, easing their monumental balancing act.

Greg Ellis, General Manager, Application Security at Digital.ai

We are trained at work on phishing awareness, password hygiene, and other general security measures but then we fail to take similar measures in our home environments. Often these home environments, and sometimes even the home devices are being used to connect to enterprise networks when things come up quickly late at night or on the weekend. It is equally important to take good cybersecurity measure at home including such items as:

• using a password manager to regularly update and use unique passwords
• update firmware regularly on routers and WiFi devices
• partition a guest network separately from your home network on your WiFi
• think about whether smart devices (such as TVs) should be on your home network or a guest network
• regularly check for and apply firmware updates on smart devices
• regularly check for and apply updates to operating systems and applications (on both desktop and mobile) devices
• regularly back up your desktop and mobile devices to a separate drive or cloud system that is not connected all the time to your network (this helps reduce likelihood of random ware propagating to other drives)
• teach your family about phishing awareness and any children about internet safety

Again, many of us are exposed to this mindset in our enterprise environment but quite often fail to bring these best practices home.

Andre Slonopas, Cybersecurity Department Chair at American Public University System

Strong Passwords: Despite a simple rule, many users use weak or repeated passwords across platforms. If credentials are overused, this makes brute-force password decryption simpler for criminals and facilitates platform infiltration. For security purposes, users should use password management tools to generate and store complex passwords. Changing passwords frequently and employing a combination of letters, numbers, and special characters can protect data.

Multi-factor Authentication (MFA): MFA makes unauthorized access difficult by requiring two verifications. A malicious party could acquire the password, but verification would require a fingerprint, mobile device, or hardware token. MFA prevents fraudsters from targeting vulnerable accounts, thereby enhancing the security of the internet.

Patch regularly: People delay enhancements because they are unaware that they resolve security issues. Malware and other hazards can penetrate vulnerabilities that are not addressed. Installing updates promptly may prevent vendor-resolved software issues. Regular updates enhance the user experience and system security by enhancing system functionality and performance. Whenever possible, configure software to update automatically to avoid delays.

Hanan Hibishi, Assistant Teaching Professor at the Information Networking Institute at Carnegie Mellon University

Reusing passwords: People continue to reuse/recycle their old passwords, which is an intuitive practice if one relies on memorizing passwords. Many recent attacks take advantage of users reusing the same password for multiple systems (Colonial Pipeline is a good example). On the other hand, telling users not to reuse passwords seems to be impractical because there is a limit to how many passwords a human can recall from memory, and users typically have accounts on numerous systems (beyond a handful).

For a more practical approach, I recommend that users use password managers, software that organizes user accounts and passwords and generates stronger passwords for users. Filling out account credentials is now easier (with a click instead of typing long strings of text), and it is a more secure approach than memorizing passwords. In addition, users can leverage single sign-on when possible. Instead of creating profiles and accounts on many systems, choose to log in with existing credentials if that is an option when creating an account.

Kayne McGladrey, IEEE Senior Member

When CISOs work with go-to-market teams, cybersecurity transforms from a mere cost center into a valuable business function. This change is crucial in B2B interactions where robust cybersecurity controls offer a competitive advantage. A centralized inventory of cybersecurity controls, grounded in current and past contracts, helps businesses gauge the financial impact of these partnerships. This inventory also identifies unnecessary or redundant controls, offering an opportunity for cost reduction and operational streamlining. By updating this centralized list after the termination of contracts, the business can further optimize both its security posture and operational costs. This integrated strategy empowers the business to make well-informed, data-driven decisions that enhance profitability while maintaining robust security controls.

Max Shier, CISO at Optiv

Because we all have a lot on our plate are moving fast to get everything done, it’s worth reminding employees they need to slow down when reading emails and text messages and when listening to voicemails. The social engineers who craft phishing, smishing and vishing attacks are banking on the fact people are busy and likely going to overlook red flags. Employees should be reminded if an attempted social engineering attack is received, they need to report the suspected attack to security as there may be others receiving the same messages.

Along the same lines, even though software and device updates always seem to come at the worst times, the importance of updating immediately cannot be overstated. Updates not only enhance features, but they also provide security patches to address known vulnerabilities. Every minute those vulnerabilities are left unpatched is another minute that threat actors have an open door onto the network.

Jerome Becquart, Chief Operating Officer at Axiad

One area security teams can overlook or tend to put less emphasis on is account recovery. When deploying MFA, organizations tend to focus their time and efforts mainly on the authentication experience. However, they do not spend enough time defining secure, user friendly account recovery workflows such as when a MFA method is not available or does not work for an end user. This typically results in not only a bad user experience, but also weaker security overall for the company.

Scott Gerlach, CSO and Co-Founder of StackHawk

With new technology, comes new attack vectors, new attack types, and new problems for security teams to learn, understand, and keep up with. With the speed and deployment of APIs growing insanely fast, and the historically unbalanced ratio of AppSec teams to Developers (1:100), to say it’s a challenge for security teams to keep pace with development is an understatement. Utilizing a developer-first philosophy that acknowledges the pivotal role software creators have with cybersecurity efforts, and bridging that gap between AppSec and engineering is critical to ensure the safe and secure delivery of APIs and applications to production. Bring the right information to the right people at the right time to help them make decisions!

Joni Klippert, CEO and Founder of StackHawk

Viewing security as either a hindrance or a reactive measure doesn’t promote the timely delivery of secure software. With organizations relying heavily on APIs to power their applications, recent research from ESG underscores how this dependency can exacerbate security risks. As development and release cycles for APIs continue to accelerate, we’ll see more challenges as feedback loops for fixes overload developers, and AppSec teams are unable to scale. Organizations need to focus on adopting the right security testing mechanisms and empower the teams that develop code to help prioritize the finding and fixing of security bugs before moving to production.

Manu Singh, VP of Risk Engineering at Cowbell

Bad actors are becoming more sophisticated and clever with their approach to using emerging technologies to launch cyberattacks. The evolving cyber threat landscape is making it more difficult for organizations to defend themselves against convincing phishing emails and malicious code generated by AI.

The most important thing that organizations can learn from Cybersecurity Awareness Month is to take a proactive approach to protecting their information assets and IT infrastructure. To do this, organizations should consistently educate and promote awareness of the latest threats and risks they may face. From there, this education should transform to best practices each employee can adopt to reduce exposure to a cyber event. This promotes a culture of security rather than placing the responsibility on IT or security personnel. Organizations as a whole have the responsibility to secure and protect against the cyberthreats they face.

Dan Benjamin, Co-Founder and CEO at Dig Security

Cloud data assets are a prime target for cyberattacks, but the legacy solutions can no longer cope with the variety and volume of fragmented data held by organizations on multiple cloud environments. Organizations need data security solutions that fit the speed of innovation in the cloud without impacting their business, to address time to detect and respond to an incident; reduce the amount of shadow data; and minimize the growing attack surface. To avoid data exfiltration and data exposure, today’s organizations must take a data first approach to cloud data security. This Cybersecurity Awareness Month, enterprises should prioritize adopting solutions that deliver real-time data protection across any cloud and any data store, in order to reduce data misuse, achieve compliance, and prevent ransomware attacks or data breaches.

Randy Watkins, CTO of Critical Start

Cybersecurity Awareness Month has traditionally focused on educating consumers, who are often susceptible as targets of opportunity, where there is a high likelihood of success, but a low yield. While some of the typical security reminders and best practices can transcend the workplace to create a culture of security, we should also use this opportunity to highlight additional areas of education:

• Board Level – A litany of cyber regulations has been proposed or approved on everything from breach disclosure to board membership. Educating the board on the organizations current cyber posture, impact on risk, coming regulations, along with the plans team to accommodate the regulation can help get buy-in early and show the value of security to the organization.
• End Users – Go beyond phishing education and inform your users of the people, procedures, and products that are being used to protect them. With the understanding of the investment made by the organization, others may look to see how they could be good stewards of cyber posture.
• The Security Team – It’s time for the teachers to become the students. While cybersecurity education programs target the “riskiest attack surface of the organization” (end users), it is important to obtain feedback from those end users on how security practices and technology could be more effective.

Darren Guccione, CEO and Co-Founder of Keeper Security

Let’s face it– it may be time to change the name of Cybersecurity Awareness Month to Cybersecurity Action Month. Sadly, individuals and businesses around the globe are already all too aware of the pain and damage that cyberattacks can inflict.

This October, organizations should take action by prioritizing adoption of solutions that prevent the most prevalent cyberattacks, including password and Privileged Access Management (PAM) solutions. These highly effective tools offer robust cybersecurity protections, and next-gen, cloud-based versions of these solutions are accessible to any-size organization, regardless of their budget or available resources. According to recent research, PAM products give 91 percent of IT leaders more control over privileged user activity, decreasing the risk of insider and external breaches.

In addition to prevention, organizations must prepare and secure their systems to mitigate threats and minimize the impact on systems, data and operations. The most effective method for minimizing sprawl if an attack does occur is investing in prevention with a zero-trust and zero-knowledge cybersecurity architecture that will limit, if not altogether prevent, a bad actor’s access.

John Gallagher, Vice President of Viakoo Labs

CISA chose a great theme with “Secure Our World”. The focus for anyone with network-connected IoT devices is on “Our” – meaning that IoT cybersecurity is a shared responsibility. Organizations can embrace the “Secure Our World” theme by creating an ongoing dialogue between the operators of IoT devices (the lines of business within a company) and organizations like procurement and IT who can help source IoT devices that are cyber secure and help maintain them.

It’s not “Secure Our Datacenter” or “Secure Our Computers” – it’s “Secure Our World”, which means organizations should be looking beyond computers and core applications to every network-connected device, such as IoT, and asking if that device has a plan and means to become and remain secure with the least human effort needed.

If I was to add one more word to this year’s theme it would be “Automatically”. “Secure Our World Automatically” challenges organizations to improve the speed of security operations and relieve humans of tedious tasks like patching, rotating passwords, and screening for phishing attempts. Rapidly closing the window of opportunity that a threat actor can operate in is key to securing our scaled out, geographically sprawled attack surfaces of IT, IoT, OT, and ICS.

Kris Lahiri, Co-Founder and Chief Security Officer of Egnyte

In today’s hybrid work environment, prioritizing cybersecurity is critical. Cyber threats are intensifying, with severe and long-lasting impacts on businesses. Yet, many organizational leaders still remain in the dark when it comes to protecting and managing their content. As we observe Cybersecurity Awareness Month, it’s important to remember that cybersecurity is not just about checking boxes. The frequency and scale of cyber attacks have continued to skyrocket, along with the financial toll and damage to brand reputation. Unfortunately, many organizations lack the proper tools to detect these attacks. Business leaders must also understand that the threat landscape is rapidly changing. Companies can improve their cybersecurity posture by combining foundational practices with cutting-edge technologies. Leveraging secure solutions doesn’t have to be complicated or robust to ensure safer data transactions and achieve unparalleled insights into content usage and access. Overall, businesses can avoid becoming a statistic and refine their data management strategies by making cybersecurity a team sport so that it is an integral part of their employees’ daily lives through education and prevention.

Paul Rohmeyer, Adjunct Professor of Information Systems at Stevens Institute of Technology

One of the challenges in maintaining cybersecurity awareness is that message repeated too frequently tend to have less and less impact, so we need to anticipate some of the most important messages will in fact be forgotten. We constantly hear about the importance of changing passwords and using complex passwords, but password audits routinely show continued use of weak passwords, and use of the identical password across multiple systems leading to a cascading effect if there is a breach. Another concern is clicking on links in emails, and falling victim to phishing and spearphishing. Phishing scams are based on the knowledge that, if sent to a large enough population, some number of recipients will in fact click on malicious links. This is often due to simply a moment of inattention by otherwise cyber-aware users, but even unsophisticated attackers can now leverage inexpensive but effective phishing platforms for low cost repetition of attacks that will unfortunately claims some victims. A third item is system updates. Despite the convenience of automated updates to Windows and Macs, users may postpone running the updates, leaving themselves vulnerable to known attacks. Change your passwords, use strong and unique passwords, don’t click on unknown links and apply system updates to all your devices– these are basics we’ve all heard but may not act upon as swiftly as we should.

Joe Regensburger, Vice President of Research Engineering at Immuta

AI and large language models (LLMs) have the potential to significantly impact data security initiatives. Already organizations are leveraging it to build advanced solutions for fraud detection, sentiment analysis, next-best-offer, predictive maintenance, and more. At the same time, although AI offers many benefits, 71 percent of IT leaders feel generative AI will also introduce new data security risks. To fully realize the benefits of AI, it’s vital that organizations must consider data security as a foundational component of any AI implementation. This means ensuring data is protected and in compliance with usage requirements. To do this, they need to consider four things: (1) “What” data gets used to train the AI model? (2) “How” does the AI model get trained? (3) “What” controls exist on deployed AI? and (4) “How” can we assess the accuracy of outputs? By prioritizing data security and access control, organizations can safely harness the power of AI and LLMs while safeguarding against potential risks and ensuring responsible usage.

David Divitt, Senior Director, Fraud Prevention & Experience at Veriff

We’ve all been taught to be on our guard about “suspicious” characters as a means to avoid getting scammed. But what if the criminal behind the scam looks, and sounds, exactly like someone you trust? Deepfakes, or lifelike manipulations of an assumed likeness or voice, have exploded in accessibility and sophistication, with deepfakes-as-a-service now allowing even less-advanced fraud actors to near-flawlessly impersonate a target. This progression makes all kinds of fraud, from individual blackmail to defrauding entire corporations, significantly harder to detect and defend against. With the help of General Adversarial Networks (GANs), even a single image of an individual can be enough for fraudsters to produce a convincing deepfake of them.

Certain forms of user authentication can be fooled by a competent deepfake fraudster, necessitating the use of specialized AI tools to identify the subtle but telltale signs of a manipulated image or voice. AI models can also be trained to identify patterns of fraud, enabling businesses to get ahead of an attack before it hits.

AI is now at the forefront of fraud threats, and organizations that fail to use AI tech to defend themselves will likely find themselves the victim of it.

James Hadley, CEO and Founder of Immersive Labs

Cybersecurity awareness month has good intentions. But, if organizations are focused on awareness alone, they’re losing. Awareness is not enough for organizations to achieve true cyber resilience. Resilience means knowing that your entire organization has the knowledge, skills, and judgment to respond to emerging threats, backed by data. Businesses need proof of these cyber capabilities to ensure that when an attack inevitably happens, their organization is prepared to respond.

Outdated training models and industry certifications that organizations have traditionally relied on have failed to make them safer and instead have created a false sense of security — which is why nearly two-thirds of security leaders now agree that they are ineffective in ensuring cyber resilience.

Continuous, measurable exercising across your entire workforce — from the store room to the board room — provides businesses with the insights they need to understand the current state of their cyber resilience and where their weak points lie. It also creates a more positive cybersecurity culture that encourages reporting rather than punishing employees when a breach does happen. With top-to-bottom cybersecurity education, organizations are moving beyond awareness and can ensure that their data is secure.

Yariv Fishman, Chief Product Officer at Deep Instinct

This Cybersecurity Awareness Month is unlike previous years, due to the rise of generative AI within enterprises. Recent research found that 75 percent of security professionals witnessed an increase in attacks over the past 12 months, with 85 percent attributing this rise to bad actors using generative AI.

The weaponization of AI is happening rapidly, with attackers using it to create new malware variants at an unprecedented pace. Current security mechanisms rooted in machine learning (ML) are ineffective against never-before-seen, unknown malware; they will break down in the face of AI-powered threats.

The only way to protect yourself is with a more advanced form of AI. Specifically, Deep Learning. Any other NL-based, legacy security solution is too reactive and latent to adequately fight back. This is where EDR and NGAV fall short. What’s missing is a layer of Deep Learning-powered data security, sitting in front of your existing security controls, to predict and prevent threats before they cause damage. This Cybersecurity Awareness Month, organizations should know that prevention against cyber attacks is possible– but it requires a change to the “assume breach” status quo, especially in this new era of AI.

Nick Carroll, Cyber Incident Response Manager at Raytheon, an RTX Business

As cyber threats continue to quickly evolve, organizations are being challenged to act just as fast in counter defense. This rush to keep up can often lead to the harmful practice of organizations skipping the foundational basics of cyber defense and failing to establish a general sense of cyber awareness within the business. Without a solid security culture at the foundation, security tools, such as expensive firewalls or endpoint detection and response (EDR), will ultimately become ineffective in the long term. It’s imperative to build cybersecurity awareness among employees and third parties that work with the business, as well as determine the ways in which security will be integrated into the organization’s culture and operations. Once these steps are taken, organizations will be better positioned to build off of a solid organizational footing that will be most effective for cyber defense initiatives in the long run.

Olivier Gaudin, Co-CEO & Founder of Sonar

This Cybersecurity Awareness Month (CAM), a message to business leaders and technical folks alike: Software is immensely pervasive and foundational to innovation and market leadership. And if software starts with code, then secure or insecure code starts in development, which means organizations should be looking critically at how their code is developed. Only when code is clean (i.e. consistent, intentional, adaptable, responsible) can security, reliability, and maintainability of software be ensured.

Yes, there has been increased attention to AppSec/software security and impressive developments in this arena. But still, these effort are being done after the fact, i.e. after the code is produced. Failing to do this as part of the coding phase will not produce the radical change that our industry needs. Bad code is the biggest business liability that organizations face, whether they know it or not. And chances are they don’t know it. Under their noses, there is technical debt accumulating, leading to developers wasting time on remediation, paying some small interest for any change they make, and applications being largely insecure and unreliable, making them a liability to the business. With AI-generated code increasing the volume and speed of output without an eye toward code quality, this problem will only worsen. The world needs Clean Code.

During CAM, we urge organizations to take the time to understand and adopt a ‘Clean as You Code’ approach. In turn, this will stop the technical debt leak, but also remediate existing debt whenever changing code, reducing drastically the cybersecurity risks, which is absolutely necessary for businesses to compete and win– especially in the age of AI.

Doug Kersten, CISO at Appfire

First and foremost, whether an employee has been at an organization for 20 days or 20 years, they should have a common understanding of how their company approaches cybersecurity; and be able to report common threats to security.

It’s been refreshing to see security come to the forefront of conversation for most organizations. It was rare 20 years ago that cybersecurity awareness was even a training concern unless you were at a bank or regulated institution. Today, it is incredibly important that this heightened interest and attention to security best practices continues. With advancements in technology like AI, employees across industries will face threats they’ve never encountered before – and their foundational knowledge of cybersecurity will be vital.

Employees today should be well-trained on security standards and feel comfortable communicating honestly with their security teams. Even more important, security leaders should ensure their organizations have anonymous alternatives for employees to report their concerns without fear of retaliation or consequence. By combining education and awareness into the foundation of your organization’s security framework, and empowering employees, the odds of the realization of a threat decrease exponentially.

James Lapalme, Vice President & GM for Identity at Entrust

While we can recognize Cybersecurity Awareness Month, it’s important that we prioritize cybersecurity all year round. Threat actors are constantly threatening organizations in unique and rapidly evolving ways, and business leaders need to remain nimble to ensure that their systems and teams are prepared for these evolving risks.

As we’ve seen in the news in recent weeks, spear phishing and social engineering attacks have become a common way for bad actors to create realistic scams that can slip by even the most knowledgeable employee. And, with the advancements in generative AI, adversaries can accelerate the potential impact of these attacks to gain access to sensitive data. The reputational and monetary losses these organizations and their customers experience can be felt for years to come.

Organizations have become so reliant on credentials that they have stopped verifying identity, so to get access or reset access, all you have to do is to give a code or answer a secret question. While that is convenient from a productivity perspective, it leaves the door open to cyber-attacks, which is why we’ve seen these spates of compromises.

Rather than rely on individuals who are frequently too caught up in day-to-day tasks to notice the subtle nuances of these scams, organizations need to evolve their technology response and look to phishing-resistant identities. Methodologies to achieve a high assurance level of Identity verification are Certificate-based authentication for both user and device verification, risk-based adaptive set-up authentication, and implementing ID verification as part of authentication process (or as a high assurance authentication strategy) for high value transactions and privileged users are all ways for businesses to build out their Zero Trust, explicitly Identity verified strategies and ensure the security of users even as new threats continue to emerge.

It’s important to understand that cybersecurity awareness is never really over. Good enough is not good enough. With the ever-evolving threat landscape, it’s essential for organizations to stay ahead of the curve and continue to keep evolving their technology to protect and future-proof their businesses against the ever changing threat landscape.

Steve Stone, Head of Rubrik Zero Labs

Artificial Intelligence, in particular generative AI (GAI), has dominated cybersecurity discussions in 2023.  As we look at how we can think of this technology in the context of Cybersecurity Awareness Month, there’s three topics worth our time.

First, GAI can demonstrably increase the capability and bandwidth of defense teams which are typically operating at beyond capacity.  We should seek out the right types of automation and support GAI lends itself well to so we can then reinvest the precious few cycles we have in our defense experts.  Let’s provide those skilled practitioners the ability to leverage their capabilities in the most impactful ways and transition years of legacy workflow to increased automation delivered via GAI.

Second, what are the inevitable shifts in defense needed as threats pivot to using GAI as well.  Traditionally, cybersecurity has leaned on attacker bottlenecks in our defensive posture.  At a minimum, we used these bottlenecks to classify threat types based on resourcing and capability.  GAI is undoubtedly going to shift these years-long expectations.  If any attacker can quickly use GAI to overcome language limitations, coding gaps in knowledge, or quickly understand technical nuances in a victim environment, what do we need to do differently? We should work to be ahead of these pivots and find the new bottlenecks.

Third, GAI doesn’t come with a zero cost to cybersecurity.  Even if we move past using GAI, the presence of GAI leaves us with two new distinct data elements to secure.  The first is the GAI model itself, which is nothing more than data and code.  Second, the source material for a GAI model should be secured as well.  If the model and underlying data are left undefended, we could lose these tools or have them leveraged against us in different ways all without our knowledge.

Michael Mestrovich, CISO at Rubrik

Monetization of data theft drives the cyber crime business. Modern cybercrime revolves around stealing data from organizations or denying them access to critical data. It is imperative that we maintain a security-first corporate culture and that a security mindset permeates everything that we do.

So how do we achieve this? A culture change starts with simple behavior shifts. When you walk away from your computer, do you lock it? When you’re using your laptop in public, do you have a screen guard on? When entering corporate buildings do you badge in and make sure no one is tailgating you? These sound like small things, but they are the practical day-to-day activities that people need to understand that help cultivate a security-first culture.

Arvind Nithrakashyap. Co-Founder & CTO of Rubrik

On the occasion of the 20^th Cybersecurity Awareness Month in 2023, it’s interesting to reflect on all that has changed in cybersecurity over the last two decades, as well as the surprising number of things that haven’t changed.

Let’s start with three dramatic differences.

1. The mobile revolution. The iPhone wasn’t introduced until 2007. Today, there are more than 4.6 billion smartphones worldwide, according to Statista. Add the more than 14.4 billion Internet of Things devices – connected cars, smart appliances, smart city technologies, intelligent healthcare monitors, etc. – and you have a threat landscape that few could have imagined 20 years ago.
2. Digital payments. The growing popularity of digital payments over cash is not only changing how people interact with money, it has opened up new opportunities for phishing scams, card information theft, and payment fraud. And, cryptocurrency, which didn’t exist until the late 00s, accounts for the vast majority of payments to ransomware attackers.
3. AI. Everyone is talking about artificial intelligence in 2023, but that wasn’t the case two decades ago. Now, AI is giving cybercriminals a powerful new tool to execute attacks while also turning out to be an effective weapon against hackers.

 And yet the more things change, the more they remain the same. Three examples:

1. On prem data. Despite the rise of cloud computing, many companies continue to house critical data in their own private databases and servers. This means protecting on-prem data remains, then as now, a key part of the security equation.
2. Public infrastructure. “By exploiting vulnerabilities in our cyber systems, an organized attack may endanger the security of our nation’s critical infrastructures,” said the White House’s “National Strategy to Secure Cyberspace” in 2003. The nation still worries a great deal today about how to defend energy systems, dams, and other assets from cyberattack. 
3. Security infrastructure. The cybersecurity industry used to focus on infrastructure security solutions involving the network, the applications, the end points, the cloud, the logs, etc. It still does. Those solutions remain core to a solid security strategy, though there is growing awareness that newer data security frameworks like Zero Trust are needed for fully realized defenses.

Viewed another way, much of the language one hears to describe the importance of data — “crown jewels,” “an organization’s most precious resource,” and the like — has changed little over the last 20 years. That’s because it’s still so true. Data is everything.

Joe Hall, Head of Security Services at Nile

One commonly overlooked aspect of cybersecurity is getting back to the basics. Don’t know where to start? First– it’s crucial to identify and comprehend the assets you need to protect. As larger organizations transition into hybrid cloud environments, the scope of what needs safeguarding can grow rapidly, which can be challenging for organizations struggling to keep pace with this expanding ecosystem. It’s vital to ensure that systems are not only secured but also designed to trust traffic only as needed, as failing to do so can leave vulnerabilities in the security infrastructure. The market will shift to systems that are natively secure as the risk of a misconfiguration of complex systems becomes too great.

Eric Cohen, CEO of Merchant Advocate

Some businesses may not fully understand the importance of PCI compliance or may believe it only applies to large enterprises or e-commerce companies. In reality, any organization that handles card and payment data, regardless of its size or industry, is subject to PCI compliance requirements.

Overlooking PCI compliance can have serious consequences, including fines, legal liabilities, and reputational damage should a breach or fraud attack occur. Therefore, businesses should not neglect it as part of their overall cybersecurity strategy. Instead, they should consider it as an essential component of their efforts to protect customer data and maintain trust in their brand. One way to check compliance is by examining merchant statements for PCI-related charges, either a charge to access a processor’s PCI portal or for non-compliance. These may be charged monthly or quarterly, so it’s important to regularly check merchant statements to ensure compliance.

Kobi Kalif, CEO of ReasonLabs

Our recent research indicates that malware and phishing are the most prevalent threats facing both businesses and the general population. These dangers often remain unchecked due to limited awareness and poor cybersecurity education among professionals and everyday consumers alike.

Email is a prime vector for phishing attempts and malware; as such, people need to be extremely vigilant when interacting with suspicious emails. Some best practices include:

• Be wary of any urgent requests for personal information or threats if you don’t act.
• Check the sender’s address for spoofing and inconsistencies.
• Do not enable macros in downloaded documents sent over email.
• Verify requests by contacting the source directly, without replying to the suspicious email itself. Look for spelling errors, awkward grammar or formatting as red flags.
• Report phishing emails to your email provider, and avoid opening attachments from unknown senders without verifying them first.

Password security is another challenge. Multiple studies have shown that a majority of people use weak, easily guessable passwords like “123456” across all their online accounts and frequently share passwords with others. One successful phishing attack could easily compromise several accounts with this lax personal security. Instead, create long passphrases that are easy to remember but hard to guess. For example, users should mix upper and lower case letters with numbers and symbols for complexity, enable two-factor authentication as an added layer of security, and periodically change passwords, focusing on critical accounts like email, banking, and work logins. Most importantly, passwords should not be duplicated across multiple sites; if one site is breached, it can put other accounts in jeopardy and create further issues down the line.

Rocky Giglio, Director of Security GTM & Solutions at SADA

Hackers have become extremely adept at leveraging human emotions and behavior for phishing and other types of social engineering attacks. Humans often move fast when reading emails, clicking links, or downloading documents, which gives hackers a perfect opportunity to deceive and gain access to sensitive information. These links or emails can also disguise themselves better than ever; for example, and email from what appears to be a payroll provider or internal company system can really be a hacker that made the slightest, hard-to-notice change to their name, phone number, or email address. Cybersecurity leaders at any company need to ensure that they are training their employees to be extra cautious and deliberate in their day-to-day communications, which will in turn help raise awareness and create more proactive security postures.

Mike Laramie, Associate CTO for Security at SADA

The news of recent breaches will hopefully drive faster adoption of cybersecurity best practices at businesses of all sizes. For example, businesses should always encourage their workers to use the passkey authentication method, which is much stronger and much more streamlined than traditional authentication methods. At a minimum, enforcing two-step verification methods is a must-have for any company, whether that be via hardware tokens or push notifications that embrace the FIDO standards. Relying on traditional methods, such as SMS verification and other one-time passcodes, are now proven to be insecure.

Steve Yurko, CEO of apexanalytix

Businesses generally have strong internal cybersecurity practices in place but, despite what they might think, this isn’t enough to keep themselves safe from harm. Organizations are most vulnerable to threats when it comes to their suppliers. Attacks on suppliers can lead to major data breaches that wreak havoc on a company’s operations, finances, brand reputation and customer loyalty – regardless of the internal cybersecurity strategy they have in place. In order to protect themselves, businesses must monitor vulnerabilities throughout the entire supply chain and flag incidents across every supplier. Cybersecurity incidents cause half of all supply chain disruptions, but businesses can manage those risks by monitoring threats and mitigating risks in real-time.

Joshua Aaron, CEO of Aiden Technologies

This year marks the 20th anniversary of National Cybersecurity Awareness Month, which aims to educate people about the value of cybersecurity and encourage good cybersecurity practices among individuals, companies and organizations. Twenty years in, Artificial Intelligence (AI) is changing the way that many organizations operate, especially when it comes to cybersecurity. Because AI is a developing technology and we’re still understanding its capabilities, many IT organizations have hesitated to fully deploy it. However, AI has come a long way since its first incarnations. It now has the potential to offer incredible assistance to IT security teams by helping them reduce the risk of business-critical infrastructure getting compromised via misconfigured software and devices, a core focus of CISA’s cybersecurity framework.

Traditionally, managing the configuration of software and computers is very manual, prone to human error, and slow to execute, especially for overworked IT security teams. The increased use of AI and automation in cyberattacks from misconfigured environments and their improving success rates are proof that traditional methods aren’t working, and we must innovate. AI and automation solutions for keeping computers up to date and in compliance with an organization’s security policy have proven to be extremely effective. IT security teams are able to automatically maintain good cyber hygiene, thus freeing them up to concentrate on higher-visibility, more rewarding projects without fear of the next attack.

In honor of National Cybersecurity Awareness Month, I encourage all organizations to look into how AI can help keep their critical infrastructure more secure and their data safe from threat actors; the SAFETY of our country and our commerce depends on it.

Dylan Border, Director of Cybersecurity at Hyland

Reinforcing what may seem like obvious cybersecurity measures ensures a proactive strategy, but we still see companies ignoring these facts until it’s too late, only starting their commitment to security after a breach or ransomware event occurs.

Even with top talent and tools on hand, foundational processes must be considered to secure your environment, and security is employees’ responsibility. While some may see simple concepts, others may be unaware of often-overlooked security measures. It’s easier than ever to implement table-stakes items, such as monthly security training to ensure best security practices are enacted. Implementing core tactics constantly is a great way to ensure all employees are approaching these concepts from a level playing field.

Role-based training is a great way to ensure that specific training is tailored to employees’ individual roles and responsibilities. While general security awareness training, such as how to spot a phishing email, is relevant and crucial for all employees to complete, some individuals will have even greater access to sensitive data, or control of administrative tasks for critical systems.

This applies to security teams as well. Team members should be experts on the security tools they’re responsible for managing, and if there are gaps in their knowledge, they should undergo deeper training. Something as simple as regularly validating that your endpoint protection, or anti-virus, program is deployed throughout your entire environment can be what it takes to stop a ransomware attack. Build from the basics, and don’t assume you’re covered until you test each of your defenses.