4 Key Takeaways From Cybersecurity Awareness Month
At the conclusion of the 20th annual Cybersecurity Awareness Month, we bring you a summary of the most important learnings and trends. Spearheaded by the Cybersecurity and Infrastructure Security Agency (CISA), the theme this year was ‘Secure Our World’.
We look at the cyber security skills gap, the most prolific forms of cyber-attack, key learnings from recent breaches, and what IT teams are doing about stretched budgets. Not least we focus on workforce education and how to empower teams to adopt the right cyber security hygiene and strengthen your firm’s security posture.
- Cybersecurity Skills Gap Widens to 3.4 million
The International Information System Security Certification Consortium (ISC2) has found the global cybersecurity workforce gap increased by 26.2% in 2022. For those of you struggling to find enough skilled cybersecurity employees to shore up your defences, this comes as no surprise. You’re likely feeling the pressure in any number of ways: not enough time for proper risk assessment and management, more time taken to patch critical systems, or a lack of available resources to train staff.
Whatever issue is keeping you awake at night, there remains a worldwide gap of 3.4 million cybersecurity workers left to fill – with the global cybersecurity workforce estimated at around 4.7 million.
We expect to see larger firms struggle to hire enough specialists to fill the in-house roles they need over the next 12 months, as companies in the UK will be competing for an estimated 339,145 cybersecurity workers. Small to mid-sized companies will still feel the crunch as they’re faced with the dual challenge of fighting for resource with stretched budgets as well has having no dedicated heads to manage their cyber security posture.
In keeping with Cybersecurity Awareness Month’s aim of education, start by promoting cross-training among your existing team members, encouraging them to diversify their skill sets to bridge knowledge gaps. You could even try partnering with universities and technical training programs or encouraging staff to obtain relevant certifications – but this takes time you may not have.
If you’re looking for a more scalable, immediate approach, investigate how managed security services can help you pinpoint the areas of highest risk. You won’t be able to plug every hole yourself, and threats today are often highly sophisticated. We already have reports of capital markets firms being hit by dedicated teams of commercial hackers working in a professionalised shadow ransomware industry. Each firm has its own needs and budget – but the data shows that we’re all facing increasingly organised and credible threats.
2. Phishing Remains the Most Prolific Form of Attack
CISA released a report this year confirming that 90% of all cyber-attacks begin with phishing: whether that’s an attempt to fraudulently obtain security credentials through fake login portals (credential phishing), a targeted attack on employees in payroll or accounting (spear phishing), or a false CEO email. This statistic is not particularly surprising, but it provides IT leads with important proof for any internal stakeholders who still need to be convinced about an increase in budget.
The latest statistics show that 71% of all advanced attacks are credential phishing attempts, and that’s only likely to increase. Malicious use of generative AI is making it harder to separate legitimate emails from fraudulent ones – and multimodal models are hitting the market that include voice and video as well as text – which makes this a potential avenue of vulnerability for many firms.
One effective solution is to automate the monitoring and detection of suspicious activity within your Microsoft 365 workspace. This includes scanning for signals of potentially threatening scenarios, including:
- Device logins from unfamiliar locations.
- Access by blacklisted IP addresses.
- Any unexpected alterations to Outlook filter rules.
- Multiple failed login attempts within a short time frame.
- Anomalous login times, including late-night or weekend logins for 9-to-5 scheduled employees.
- Frequent password reset requests or multiple login attempts with incorrect passwords.
- Unexpected changes to user permissions or roles.
However, if your IT department doesn’t have the automation capabilities in-house, or the capacity to take on such a big project outside their day job, you may need the assistance of a Managed Security Services Provider (MSSP) capable of setting up, managing, and monitoring your workspace 24/7 to make you aware of any potential breaches before they occur.
Awareness and training initiatives are regular, routine parts of maintaining your security posture that can easily get disregarded or pushed aside when people have other things on their plate. Here are some common signs of malicious emails that you can share with your team to give them a primer on phishing attempts:
- Misspelled email addresses.
- Poorly written or improperly formatted text that doesn’t display correctly on your screen.
- Requests to click on text links instead of image links.
- Unfamiliar web addresses when visiting recommended websites.
- Unusual information requests, such as asking for your ‘Home Address’ in conjunction with your ‘Username’ and ‘Password.’
3. Breaches – Fail to Prepare, Prepare to Fail
2023 has been the worst year on record for data breaches, with two months still left to go. There were 2116 reported data breaches and leaks in the first nine months of 2023, says the Identity Theft Resource Center (ITRC). As the saying goes, an ounce of prevention is worth a pound of cure, and to prepare, we recommend regularly exposing your people to the same level of social engineering that an attacker would.
This not only raises awareness amongst employees on the latest techniques used by attackers to exploit their behavioural weak points – it also gives you data on how well your security awareness program is performing and allows you to track this as a Key Risk Indicator. For more on this, our CISO, Alex Bransome, has pulled together his thoughts on the top areas leaders should prioritise to build a strong defence.
You can reduce the odds significantly, but a breach is always possible. In those instances, move fast. Secure the affected systems to minimise harm and get your response team to evaluate the breach, collect vital evidence, and understand the attacker’s methods. Remember, good communication is key in these situations. Post-incident analysis can help identify gaps and tweak your security approach. Lastly, stay vigilant and up-to-date with threat intelligence to actively protect your systems.
4. Cybersecurity Budgets Shrink
2022 and 2023 have been tough years for IT departments, forcing us to navigate a market where cutbacks are increasingly common. In fact, nearly half (47%) of respondents to another ISC study said they had experienced cyber-related cutbacks in the past year, including layoffs, budget cuts and hiring or promotion freezes.
This has compounded the cyber skills gap we mentioned before. The C-suite knows reduced cyber budget leads to increased cyber risk – with all the financial and reputational damage that follows – but economic risk often comes out on top in that equation. The two are linked, however, and it shouldn’t take a breach to make that clear.
If you’re one of the many people struggling to make resources last following a cyber budget cut, our advice is to build a ‘human firewall’. Ensure your workforce understands the details of cyberattacks and the mechanisms bad actors will use to target your business: phishing, malware, ransomware, and other forms of attack.
To turn your staff into an effective line of defence against common methods of cyberattack, you can leverage an integration with a security awareness training and simulated phishing platform.
Looking Forward to Next Year
Cybersecurity Awareness Month may be behind us, but the lessons learned should influence our actions throughout the rest of the year and into 2024.
Leveraging the expertise of a reliable partner like an MSP or IT services provider can be a game-changer, especially for IT professionals at smaller firms. They can help you implement advanced security measures and manage your cybersecurity efficiently, lightening your load and allowing you to focus on other critical areas of your role. An outsourced provider also brings valuable knowledge and experience of other firms facing challenges just like you.
Our team at Doherty Associates is committed to supporting firms wherever they are in their cybersecurity journey. Our award-winning Managed Security Services empower our clients to shore up their cyber defences and respond to threats at speed. Get in touch today to learn how we can help safeguard your digital infrastructure.
If you’d like to read more great sources of information on Cybersecurity Awareness Month and the state of play in the market at the moment, then we can recommend the resources below:
Posted: 02 November 2023