Most of us can agree that it was a much simpler time back in 2004. Yet, behind the scenes, the seeds were being planted for the increasingly connected world we live in today.
- In October 2004, there were about 812 million internet users, roughly 12.7% of the world population. That has exponentially risen to 5.54 billion users, a whopping 69% of the world population, in December 2022.
- Remember MySpace? Back in 2004, it had reached a million monthly active users, laying the roots for the raging phenomenon we know today as social media.
- And seeing the increasing prevalence of digital in our lives, along with the inevitable risks that come with it, US Congress deemed the month of October to be known henceforth as Cybersecurity Awareness Month.
Fast forward to today, when we’re celebrating this event’s 20th edition and the values it stood for remain as pertinent as ever. Because amid numerous physical conflicts, we often neglect a far more insidious one: us against the seemingly faceless cyber-criminals. Data breaches are becoming increasingly commonplace in our world, and the APAC region is turning out to be a prime target.
- The APAC region was targeted in 31% of all cyberattacks in 2022, in front of Europe (28%) and North America (25%)
- The global average in the first quarter of 2023 for weekly cyberattacks an organization faced was 1,248 attacks per week. Just APAC organizations, on the other hand, had 1,835 attacks per week. Oh, and it gets worse for just Indian companies, a staggering 2,108 attacks per week. (Check Point Research)
So how can you as an organization stay vigilant in this vulnerable environment? Well, it all starts with your employees – they’re your first line of defence. As it turns out, a human element is the root cause of 82% of all breaches.
Let’s begin with something we do every day, yet very much take for granted. We eat, we sleep, we (hopefully) shower, we login by entering our password.
Your employees log onto different accounts daily, and if you’re thinking that them logging onto Instagram, X or their food delivery/grocery apps has no impact on your business, you’re mistaken. Users often resort to the same easily memorable password across platforms, and if cybercriminals get access to your employee’s Insta credentials, they’re a lot closer to tapping into your organizational data.
So how can you avoid this? There are two routes.
Route 1: A strong password policy
Make passwords with at least 12 characters, symbols, numbers, and upper & lowercase letters mandatory. Then, have regular rotation policies for these passwords, with no option to reuse old ones. From your end, have policies that temporarily lock out accounts after a certain number of failed attempts and conduct regular security audits to identify weak or compromised passwords. Ideally, your privileged accounts should have the strongest policies.
Route 2: Incorporate a password manager
This is a software app designed to store & manage your employees’ online credentials, with all their passwords stored in an encrypted database and locked behind a master password. So now, instead of having to remember a multitude of passwords, they just need to remember a single, strong one. This significantly reduces the risk of brute force or dictionary attacks.
So, we’ve got passwords covered, but what if your employee has written it down somewhere like a journal or a spreadsheet and cybercriminals have somehow gained access to this? In isolation, passwords aren’t enough. That’s why we have multi-factor authentication (MFA)
This is an authentication mode requiring users to provide two or more verification factors to gain access to a resource. These include:
- Something you know, like your password
- Something you have, like your smartphone
- Something you are, which incorporates fingerprints and voice recognition
OTPs are the most common MFAs, but cybercriminals are bypassing them with increasing regularity.
Let’s add more factors then?
Nope, it’s not about how many factors you have – it’s the inherent strength of each. Here is a diagram arranging MFAs from weakest to strongest:
For your organization, you would be better off looking towards the right end of the spectrum. Incorporate phishing-resistant MFAs involving physical passkeys or biometrics to ensure safe authentication for your employees.
This is obviously an investment, so the best way to roll it out in your organization is to start off with privileged accounts that contain your most sensitive data before moving onto the rest. Also, it is imperative to regularly review and update your policies to deal with evolving threats.
Great, so you’ve done everything on your part to ensure a safe login experience for your employees. But that’s half the job done.
Educate Employees on the Dangers of Phishing.
The phishing scene today isn’t the same one from a decade ago – it’s got infinitely more sophisticated. Today’s phishers employ advanced social engineering techniques and impersonate trusted entities with consummate ease. And it’s a bottomless pit once you’re reeled in – phishing serves as a gateway for large-scale data breaches, ransomware attacks and financial fraud.
Since your employees are the targets for this, it is important for them to recognize and report these attempts immediately. Regular phishing awareness training helps with this, and from your end, you can deploy a variety of endpoint security solutions for detection & prevention.
You’ve covered your employees, but now, it’s time to look inward. And the answer is really quite simple.
Update Your Software.
Software vendors often release patches to safeguard their offerings from recent vulnerabilities. But we’re mentally conditioned to press the ‘Update Later’ button whenever a new patch comes about. This can be very dangerous – the duration it takes for you to update is the duration a cybercriminal has to find a way in. Remember, time is an attacker’s friend, so don’t give them any.
Have robust patch management policies that prioritize patches based on criticality, impact, and risk of exploitation. Furthermore, create intense urgency among your employees if there is an update on their systems, like a firewall or antivirus.
These are essentially the 4 pegs of this Cybersecurity Awareness Month’s theme to ‘Secure Our World’ – but there’s a lot more you can do to stay ahead of the curve:
- Incorporate a least privilege access model, which limits user rights to the bare minimum necessary to complete job functions. This is increasingly important in an age of remote working and third-party supply chains.
- Use VPNs for your browsing.
- Adopt end-to-end encryption for your emails, a medium which often contains your most sensitive data.
- Go with AI & ML-enabled tools like DLP (data loss prevention) and EDR (endpoint detection & response). The cybercriminals are starting to use malicious AI in their attempts, so it’s only right to fight fire with fire.
We are in an era where data is the most prized asset of any organization. This Cybersecurity Awareness Month let’s make a pledge to do everything in our power to protect it! Stay vigilant, stay safe.