National Cybersecurity Awareness Month is here, and no matter where you are in the world, its message could not be more timely.
From corporate employees to consumers, more and more of our lives are online. Digital transformation has created a world where a distributed workforce is accessing data, applications, and systems from all over the globe using all manner of devices. As 2021 winds to a close, security leaders can look back at a year that saw everything from supply chain attacks to a ransomware infection disrupting an American oil pipeline system. Hovering over this threat landscape is the COVID-19 pandemic, which forced many employees to work remotely and put pressure on organizations to examine and adjust their security strategies to support them.
2021 also saw the continued proliferation of attacks on VPN solutions and cloud infrastructure. While it is tempting for employees to trust their endpoint security solutions to do the trick, the craftiness of attackers does not allow it. Check any data breach, and there is a high likelihood stolen credentials stolen from unsuspecting victims will be involved.
With many employees preferring to work from home, the workforce security teams are tasked with protecting will likely continue to be a hybrid one, and effectively supporting it will require both users and their organizations to do their part.
The Human Firewall
Done right, cybersecurity awareness training turns employees into security multipliers. This effect is often referred to as the human firewall. Erecting these human defenses around your IT environment means identifying the most pressing risks to your organization and establishing a program that communicates the best practices for addressing them. For many organizations, social engineering will be the first topic on this list. Phishing attacks remain a primary tactic for threat actors. All it takes is for users to click on a malicious link sent to them under the guise of a legitimate message, and the countdown until your data is breached has begun.
With more staffers working remotely, organizations must focus their security awareness efforts on training users to identify and deal with suspicious emails. This training should include identifying common indicators of a social engineering attack, such as misspelled words or attempts to create a sense of urgency for the recipient to click a link or download an attachment. Security teams should make sure users know where to report malicious activity. It is important to remember as well that not all social engineering attacks involve emails, so organizations may also want their awareness efforts to involve text messages, social media, and other potential vectors.
Social engineering is often used to compromise credentials, making password management an important line of defense. Organizations and users should ensure they are using strong passwords. The longer the password, the better. Also, limit the number of wrong username and password combinations that can be entered before the user is locked out, and make sure users change passwords periodically and never use the same one on multiple sites.
Passwords, of course, are only one aspect of access control. It is also vital for security leaders to be prepared to support a hybrid workforce that may now have a much larger number of employees accessing systems and data from outside the office. VPN security made its way into the news headlines this year as cybercriminals stepped up attacks against VPN products. For this reason, it is important to perform an assessment of current access policies, make sure the solutions are patched, and ensure they can handle the increased number of remote connections.
It is also vital for security leaders to be prepared to support a hybrid workforce that may now have a much larger number of employees accessing systems and data from outside the office.
VPNs should also be protected using multi-factor authentication (MFA) for an additional layer of security. Enabling MFA helps limit the risk of lateral movement by an attacker that penetrates your network and creates an extra hurdle for them if a user’s credentials are stolen. Whenever possible, MFA should be used to protect access to all critical systems and applications.
It should also be remembered that remote workers may be tempted to use personal devices to access cloud applications and data. If these devices are unmanaged, potential security blind spots could emerge. Organizations should review their Bring-Your-Own-Device (BYOD) strategy and capabilities are sufficient to secure a hybrid workforce.
Do Your Part. Be Cyber Smart.
In the US, the theme of National Cybersecurity Awareness Month calls for users and organizations alike to do their part. Cybersecurity is not a one-person operation; it is a team sport. This month is as good as any to remember that.