The IT Nerd

October marks National Cybersecurity Awareness Month (NCSAM), a significant initiative launched in 2004 by the U.S. Department of Homeland Security and the National Cyber Security Alliance. The goal? A dedicated month to reinforce the importance of safeguarding our online presence. It began as an American effort, but the message resonated far and wide. Today, numerous countries around the globe have embraced the cause, underscoring that cyber threats don’t recognize borders. It’s a collective call to action, urging individuals and organizations to prioritize online safety, no matter where they’re located. It’s truly a global commitment to cyber resilience.

Jason Dettbarn, Founder & CEO of Addigy; Carl D’Halluin, CTO of Datadobi; Don Boxley, CEO and Co-Founder of DH2i; and Seth Blank, CTO of Valimail, Steve Stone, Head of Rubrik Zero Labs, Michael Mestrovich, CISO, Rubrik, Arvind Nithrakashyap. Co-Founder & CTO, Rubrik have offered the following thoughts on this important topic:

Jason Dettbarn, Founder & CEO, Addigy: 

“Cybersecurity has moved from an afterthought to one of the more important decisions in the boardroom, as executives have come to understand the potential scale and impact of attacks. Breaches don’t just cost money – they can debilitate a company.

IT leaders need to ensure they are leveraging the right security processes and tools to maintain compliance vigilance, which includes a layered approach to OS Patching, Application Patching, adhering to Compliance Frameworks, and End-User Authentication Management. The speed and impact of Zero Day vulnerabilities highlight the importance of applying these patches throughout an organization’s entire fleet of devices in a timely fashion. National Cybersecurity Awareness Month serves as a good reminder of this.”

Carl D’Halluin, CTO, Datadobi:

“Cybersecurity Awareness Month is a critical reminder that effective cybersecurity isn’t solely about building higher walls against external threats. It’s equally about understanding and managing the data you already hold within those walls. Illegal and orphaned data are prime examples of internal vulnerabilities that often go overlooked.

The risks of harboring illegal data are multi-faceted, spanning potential legal issues, reputational harm, and increased susceptibility to network compromise due to embedded malware. Orphaned data, often accumulating unnoticed due to employee turnover, can pose governance and compliance risks.

This month-long focus is not just an opportunity but a necessity for organizations to deepen their commitment to employing the necessary methodologies and technologies that enable effective internal data governance and oversight. A proactive, inside-out approach to cybersecurity has never been more crucial.”

Don Boxley, CEO and Co-Founder, DH2i: 

“Today, cyber threats are escalating into full-blown crises – making Cybersecurity Awareness Month more than just a gentle reminder, but a stark warning that we must urgently overhaul our digital defenses. Gone are the days when established security measures like VPNs sufficed. Hackers are continually advancing, rendering traditional methods increasingly obsolete. Proactive security isn’t an option; it’s an absolute necessity if organizations want to survive into the future.

Software-Defined Perimeters (SDPs) are rapidly gaining prominence as an innovative and intelligent alternative to VPNs.They address and eliminate many traditional VPN vulnerabilities, such as susceptibility to lateral network attacks that could compromise sensitive organizational assets. SDPs simplify the secure connection of network assets across diverse infrastructures—from on-premises to hybrid and multi-cloud setups—and closely align with Zero Trust Network Access (ZTNA) principles. By adhering to the Zero Trust tenet of “never trust, always verify,” SDPs offer stringent security controls at the application level. This ensures that resources like servers, storage units, applications, IoT devices, and users gain access only to the specific data endpoints required for their tasks, thereby eliminating potential vulnerabilities such as lateral movement paths that attackers could exploit.

Let us heed National Cybersecurity Awareness Month as an urgent call to action for adopting next-generation solutions like SDPs and Zero Trust principles. In doing so, we will be equipping organizations and individuals with the robust defenses needed to outpace ever-advancing cyber threats.”

Seth Blank, CTO, Valimail: 

“October may conjure images of falling leaves and Halloween festivities, but it’s also Cybersecurity Awareness Month—a crucial period that calls for our attention on the increasing threats in the digital landscape. Among these threats, one that’s often pushed to the background but deserves center stage is email security.

Email is the battleground where some of the most sophisticated social engineering attacks, like spear-phishing and whaling, are waged. These attacks exploit human psychology, leveraging the absence of the usual cues we rely on to assess trust—no facial expressions, no tone of voice, just cold text on a screen. You’re probably been inundated with the same stats again and again, like the fact that 91% of all cyberattacks start with phishing. Or that the FBI has reported $50 billion—with a b—in losses due to business email compromise (BEC). And due to that inundation, it’s easy for some to look at email as an old problem. But those stats show the problem is not just as bad as it’s ever been; it’s getting worse. Much, much worse.

The bottom line is that even if the stats have become easy to ignore—the problem is real, and one misstep can wreak havoc. This Cybersecurity Awareness Month, don’t just scroll past the warnings—take them to heart. Beef up your email security, or get ready for a world of hurt. The ball is in your court, and it’s ticking.”

Steve Stone, Head of Rubrik:

“Artificial Intelligence, in particular generative AI (GAI), has dominated cybersecurity discussions in 2023.  As we look at how we can think of this technology in the context of Cybersecurity Awareness Month, there’s three topics worth our time.

First, GAI can demonstrably increase the capability and bandwidth of defense teams which are typically operating at beyond capacity.  We should seek out the right types of automation and support GAI lends itself well to so we can then reinvest the precious few cycles we have in our defense experts.  Let’s provide those skilled practitioners the ability to leverage their capabilities in the most impactful ways and transition years of legacy workflow to increased automation delivered via GAI.

Second, what are the inevitable shifts in defense needed as threats pivot to using GAI as well.  Traditionally, cybersecurity has leaned on attacker bottlenecks in our defensive posture.  At a minimum, we used these bottlenecks to classify threat types based on resourcing and capability.  GAI is undoubtedly going to shift these years-long expectations.  If any attacker can quickly use GAI to overcome language limitations, coding gaps in knowledge, or quickly understand technical nuances in a victim environment, what do we need to do differently? We should work to be ahead of these pivots and find the new bottlenecks.

Third, GAI doesn’t come with a zero cost to cybersecurity.  Even if we move past using GAI, the presence of GAI leaves us with two new distinct data elements to secure.  The first is the GAI model itself, which is nothing more than data and code.  Second, the source material for a GAI model should be secured as well.  If the model and underlying data are left undefended, we could lose these tools or have them leveraged against us in different ways all without our knowledge.”

Michael Mestrovich, CISO, Rubrik:

“Monetization of data theft drives the cyber crime business. Modern cybercrime revolves around stealing data from organizations or denying them access to critical data. It is imperative that we maintain a security-first corporate culture and that a security mindset permeates everything that we do.  

So how do we achieve this? A culture change starts with simple behavior shifts. When you walk away from your computer, do you lock it? When you’re using your laptop in public, do you have a screen guard on? When entering corporate buildings do you badge in and make sure no one is tailgating you? These sound like small things, but they are the practical day-to-day activities that people need to understand that help cultivate a security-first culture.”

Arvind Nithrakashyap. Co-Founder & CTO, Rubrik 

“On the occasion of the 20^th Cybersecurity Awareness Month in 2023, it’s interesting to reflect on all that has changed in cybersecurity over the last two decades, as well as the surprising number of things that haven’t changed.

Let’s start with three dramatic differences.

1.   The mobile revolution. The iPhone wasn’t introduced until 2007. Today, there are more than 4.6 billion smartphones worldwide, according to Statista. Add the more than 14.4 billion Internet of Things devices – connected cars, smart appliances, smart city technologies, intelligent healthcare monitors, etc. – and you have a threat landscape that few could have imagined 20 years ago. 

2.   Digital payments. The growing popularity of digital payments over cash is not only changing how people interact with money, it has opened up new opportunities for phishing scams, card information theft, and payment fraud. And, cryptocurrency, which didn’t exist until the late 00s, accounts for the vast majority of payments to ransomware attackers.

3.   AI. Everyone is talking about artificial intelligence in 2023, but that wasn’t the case two decades ago. Now, AI is giving cybercriminals a powerful new tool to execute attacks while also turning out to be an effective weapon against hackers. 

And yet the more things change, the more they remain the same. Three examples:

1.   On prem data. Despite the rise of cloud computing, many companies continue to house critical data in their own private databases and servers. This means protecting on-prem data remains, then as now, a key part of the security equation.

2.   Public infrastructure. “By exploiting vulnerabilities in our cyber systems, an organized attack may endanger the security of our nation’s critical infrastructures,” said the White House’s “National Strategy to Secure Cyberspace” in 2003. The nation still worries a great deal today about how to defend energy systems, dams, and other assets from cyberattack.

3.   Security infrastructure. The cybersecurity industry used to focus on infrastructure security solutions involving the network, the applications, the end points, the cloud, the logs, etc. It still does. Those solutions remain core to a solid security strategy, though there is growing awareness that newer data security frameworks like Zero Trust are needed for fully realized defenses.

Viewed another way, much of the language one hears to describe the importance of data – “crown jewels,” “an organization’s most precious resource,” and the like – has changed little over the last 20 years. That’s because it’s still so true. Data is everything.”

Anurag Gurtu, Co-Founder & CPO, StrikeReady

Phishing remains a relentless and highly effective cybersecurity threat. Despite advances in security technology and increased awareness, attackers continue to exploit human vulnerabilities through deceptive emails and messages. Organizations must recognize that their staff can be the first line of defense against phishing attempts. Investing in comprehensive cybersecurity training programs that teach employees to recognize and report phishing emails is essential. Additionally, implementing advanced email security solutions that can identify and block phishing attempts in real-time can significantly reduce the risk associated with this prevalent threat.

This entry was posted on October 1, 2023 at 10:31 am and is filed under Commentary. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.