Cybersecurity should be a concern for all businesses — large and
small. Cybersecurity also should be a concern for consumers, government agencies, and basically anyone who relies on the Internet in our increasingly connected world.
To cite two high-profile examples of mass cybercrime, some 3 billion Yahoo accounts were hacked in 2016, and 412 million Friendfinder accounts were compromised in 2017, according to cybersecurity research firm
Varonis.
The average cost of a malware attack was US$2.4 million, while the cost in lost time averaged 50 days, the firm found. Even more worrisome, the average cost of global cybercrime increased by 27 percent in 2017, with ransomware costs exceeding $5 billion that year — 15 times higher than ransomware costs just two years previously.
The problem is that far too many people still disregard the threats.
“Yes, we should definitely be thinking about cybersecurity all the time,” said Elad Shapria, head of research at cybersecurity firm
Panorays.
“We should be thinking about it at least as often as we use our
smartphones, computers, and any devices that connect to the Internet,
which is pretty much every minute of the day,” he told TechNewsWorld.
“But because connecting to the Internet and sharing data is so much a
part of our lives, we tend to push their ramifications to the back of
our minds.”
Building Awareness
Fortunately there are efforts to focus attention on the threatscape in the hope that knowing truly is half the battle. A spotlight will shine on many of those efforts in October, which is
National Cyber Security Awareness Month, or NCSAM. The
National Cyber Security Division of the Department of Homeland
Security and the nonprofit National Cyber Security Alliance joined to designate the month as a way to raise awareness about the importance of cybersecurity.
NCSAM first launched in 2004 as a part of a broad effort to educate
Americans and help them stay safe and secure online. Initial
efforts touted simple things people could do, such as keeping
antivirus programs up to date. The goal was to remind consumers
to do cybersecurity updates in October — similar to remembering to change
batteries in a smoke detector when they set their clocks back in fall or
forward in spring.
“It grew out of the earlier awareness efforts by NCSA, working in
conjunction with industry and government partners,” said Kelvin
Coleman, executive director of
NCSA.
In more recent years the efforts have expanded, and since 2009 the
month has included the overall theme, “Our Shared Responsibility,” to reflect how everyone — from large companies to individual
computer users — plays a role in securing digital assets.
“We want people to understand that cybersecurity is a shared
responsibility, because what we do online can affect others,” Coleman
told TechNewsWorld.
“When that employee opens a bad link on their office email, it could
have wider repercussions for the company and put everyone at risk,” he
added.
“We have found that this ongoing outreach to various target audiences
really works well,” said Coleman. “In addition to sharing information
with the media, we disseminate materials and resources via our
partners, who represent industry, government, small and mid-sized businesses and academia, so our message is spread widely through various channels, reaching a broad
group.”
Increasing Awareness
For 2019 the overarching message of NCSAM is “Own IT. Secure IT.
Protect IT.” The goal this year is to focus on key areas related to citizen privacy, consumer devices, and e-commerce security.
“It’s important to designate times, such as National Cybersecurity
Awareness Month, to remind ourselves what we are facing and how we can
be vigilant,” said Panorays’ Shapria.
“One significant problem is that we keep seeing devastating
third-party data breaches,” he noted.
These attacks can often occur when hackers target vendors with the
goal of accessing the data of the large companies the vendors are
connected to or otherwise work with.
“We saw this happen this year with Wipro, Evite and AMCA — and such
cyber incidents can result in lost consumer confidence and loyalty,
costly regulatory penalties for the companies, and even bankruptcy,”
warned Shapria.
What shouldn’t be part of the solution is the assumption that
employees at any level understand the threat. This all too often can
lead to lax security behaviors.
“What is obvious is usually subjective. Businesses must recognize
that employee awareness and training for cybersecurity threats is a
key part of how they can mitigate the inadvertent or deliberate
employee breach,” said Justin Fox, director of DevOps engineering at
NuData Security, a Mastercard company.
“Employees need to be trained on what security warnings are legitimate
warnings they should care about, versus ads that look like a warning,”
he told TechNewsWorld.
“Employees need to understand how the business has implemented their
security protocols and [be educated] in some of the most common
messages they may receive from security software,” Fox added. “Then
they’re likely to understand how to respond to threats correctly.”
Shared Data, Shared Responsibly
The daily sharing of data has complicated matters when it comes
to cybersecurity. In addition to worrying about protecting their own data, everyone now must trust every company, vendor, client, employer and employee to protect their data as well.
“Businesses need to be aware that when they hire and share data with
vendors, they are greatly increasing the risk of being breached
through those vendors,” suggested Panorays’ Shapria.
Companies must thoroughly assess and
continuously monitor their vendors’ cyber posture with the same
diligence that they monitor their own computers, networks and systems.
Simply put, everyone needs to recognize the severity of the ongoing threat.
“Consumers need to be aware so that they can understand what companies
are doing with their data and demand stronger controls,” said Shapria.
“C-level execs need to be aware since security directly affects the
cost of doing business, while employees need to be aware so that they
don’t expose their companies to cyber risk,” he added. “Developers
need to be aware so that they can program solutions that are secure,
and network administrators need to be aware so they can safeguard
their companies and customer data.”
Failure to Act
The costs of failure to heed warnings can be massive — not only in
dollars but in wasted time, lost productivity, and even the social
stigma that can accompany hacks. Cities such as Baltimore and
Atlanta, companies such as Target and Yahoo, and even government
agencies such as the Office of Personnel Management have had to
respond to significant cyberattacks.
The danger is getting so bad that eventually the Internet, which has
become the glue that holds the connected world together, could fail to
the point that it couldn’t be trusted.
“Who is going to want to use [the Internet] if all your records
become open fodder and can be so easily accessed by hackers?” pondered
Daniel M. Gerstein, Ph.D., senior policy researcher at the
RAND Corporation.
“If we can’t get our act together and truly address this issue, the
current Internet could eventually become little more than a simple
sharing platform for information,” he told TechNewsWorld.
The Internet may not go away, but if data isn’t secure there could
be a future when it is relied on only for streaming Netflix and looking up facts on Wikipedia. That scenario might seem extreme, but the Web
could be just one major breach away from a breaking point.
“We need to be serious about security, and there are ways to protect
it, but right now the average consumer basically could become road kill on the information superhighway,” warned Gerstein.
There’s hope that persistent awareness-raising efforts will pay off.
“We have found that this ongoing outreach to various target audiences
really works well,” said NCSA’s Coleman. “In addition to sharing
information with the media, we disseminate materials and resources via
our partners, who represent industry, government, SMBs and academia,
so our message is spread widely through various channels, reaching a
broad group.”
Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.
Email Peter.