In 2004, cybersecurity awareness was still an optional attitude. After 2023, we will probably have to live and breathe it constantly!

In 2004, the President of the United States and Congress declared the month of October to be Cybersecurity Awareness Month, a period of time for the public/private sectors in the United States to work together to raise awareness about the importance of cybersecurity.

This month, the Cybersecurity and Infrastructure Security Agency (CISA) commemorates the 20th anniversary of the campaign — amid a turbulent cyber landscape that even the experts of the day cold not have foreseen then. This year’s campaign theme is to “Secure Our World”, revolving around four key actions year-round:

Note the keyword: “year-round” which effectively means “every day”. The following key actions are not some practices we observe in October 2023 and then for the rest of the months until October 2024, we assume everyone else is heeding the advice and guidelines.

    1. Use strong passwords
      Following password security best practices is key discipline, and it has to be enforced every second of the day — assuming passwords will not be obsoleted by much more secure passwordless authentication for another five or more years.

      According to Check Point Research compromised passwords are responsible for 81% of hacking-related breaches, yet the following ways to protect passwords are not difficult to implement religiously: one of the easiest ways to protect your accounts and keep your information safe.

      • Create strong, regularly changed passwords and passphrases
      • Avoid password reuse
      • Use a password manager if necessary

    2. Enable multi-factor authentication (MFA)
      According to Microsoft, enabling MFA can make people 99% less likely to get hacked. Note that not all MFA methods offer the same level of protection. Phishing-resistant MFA is the standard industry leaders should strive for, but any MFA is better than no MFA.

    3. Recognize and report phishing
      Phishing is the currently most common form of cybercrime. If something seems suspicious, trust your instinct. Telltale signs include:

      • Urgent or emotionally appealing language
      • A sense of urgency for you to click on a URL right away
      • Requests to send personal or financial information
      • Unexpected attachments
      • Untrusted shortened URLs
      • Email addresses whose domain names do not match that of the supposed sender

      When encountering a suspicious message, use the “report spam” feature. In cases where the message impersonates an organization you trust, notify that organization using the contact information found on their official website.

      Lastly, delete suspicious messages. Do not reply or click on any attachment or link, including the “unsubscribe” link, which could carry a link used for phishing.

    4. Update your software
      Technology providers issue software updates to patch urgent security flaws, and failing to keep system software up-to-date could leave users unprotected.

      What you need to keep up-to-date:

      • Operating System (OS)
      • Web browser and extensions
      • Third-party apps
      • Antivirus protection

      To make these updates more convenient, set up automatic updates so that they are downloaded and installed as soon as they are available. Remember to only download software and apps from verified sources and official app stores. The device, software, or app developer itself should be sending you updates, not anyone else.

They did not have GenAI in 2004

According to Andy Ng, Vice-President and Managing Director (Asia South and Pacific Region), Veritas Technologies, research is showing that cybercriminals will have weaponized operational technology environments to harm or kill humans by 2025.

While this might be mistaken for a science fiction movie plot at first glance, it is plausible with the new cyber threats that are growing in tandem with the advancement in technology. As the use of GenAI gains momentum and becomes ubiquitous, “there is a gnawing fear that it would pose a threat to humanity if it is exploited by bad actors — we are at the stage where we can no longer easily distinguish between the real and false photos, videos or news. Clearly, AI tools will be adopted not only for business efficiencies but also by cybercriminals to increase the scale and sophistication of the cyberattacks.

Andy Ng, Vice-President and Managing Director (Asia South and Pacific Region), Veritas Technologies

Ng recommends strengthening five corporate strategies to “Secure Our World”:

    1. Limit access to backups and segment your networks: As a starting point, adopting a zero trust mindset is a must. It is critical that only privileged users should have access to backups and remote access should be restricted. Different tiers of protection data should have different access permissions and should be air gapped.
    2. Introduce identity and access management (IAM): Using MFA and role-based access control (RBAC), administrators can determine which users and machines can access specific data and what actions they can and cannot perform. This prevents hackers from using a single credential to take over the system.
    3. Adopt immutable and indelible storage: This backup strategy ensures that your data cannot be changed, encrypted or deleted for a fixed timeframe, or at all, making your data impervious to ransomware infection. You can store immutable data on different mediums, such as purpose-built backup appliances, enterprise disk arrays or the cloud.
    4. Encrypt data in-transit and at-rest: This further ensures that data cannot be compromised within the network, or exploited when hackers or ransomware gain access to it.
    5. Implement security analytics: AI-driven anomaly detection and automated malware scanning can help your IT team monitor and report on system activities to mitigate threats and vulnerabilities. A sophisticated solution, such as the use of autonomous cloud data management, will be able to detect deviations in data access patterns to identify accounts that might be used to run malware and analyse changes in backup attributes to identify the possible subtle signs of intrusion.

With technology forming only part of the equation, it is important for organizations to train their employees on the policies and tools that are deployed on a regular basis, Ng added.

Cybersecurity is super multi-dimensional now

Over at Forrester, Research Director Joseph Blankenship, provided the most all-encompassing cybersecurity insight to commemorate: “Security awareness should be top of mind every day, not just one month out of the year. Many of the devastating breaches we see resulted from phishing and social engineering which took advantage of ‘human’ vulnerability. Let’s reframe the way we think about human risk, shifting from a one-time-a-year conversation to having this be part of our daily activities.”

Compared to the cybersecurity landscapes of 2004 to 2019, which did not factor-in an unprecedented extended pandemic or the coming-of-age of GenAI, today’s cybersecurity awareness has to include many more dimensions:

    • Sophisticated insider threats and state-sponsored threats
    • The dilemmas of purchasing and claiming from cyber insurance
    • Social engineering, widespread disinformation/misinformation, personal data collection and usage
    • Supply chain risks and API security

Remember to subscribe to the CybersecAsia.net newsletter to imbibe preemptive, proactive cybersecurity as a way of work and personal life!