So what exactly is ‘National Cyber Security Awareness Month’? According to Google, October is also a time to celebrate ‘National Pumpkin Spice Day’, ‘National Walk to a Park Day’ and ‘National Yorkshire Pudding Day’. Whilst we can be all be on board with a day dedicated to the humble Yorkshire pudding, is cyber-awareness month just another one of these manufactured marketing ploys to encourage consumers to spend their hard-earned cash? Read on to find out the verdict.
October 2021 marks the 18th year of National Cyber Security Awareness month. It is annual initiative which was first launched by The Department of Homeland Security and the National Cyber Security Alliance in America back in 2004. Against the backdrop of a rapidly developing digital world and rising cyber-attacks, they wanted to promote a dedicated month to help raise awareness about the importance of Cyber Security. Fast-forward to 2021, The NCSAM is a globally recognised event which is used by government bodies, businesses and individuals as an opportunity to improve and strengthen their security practices.
Why do we need ‘Cyber Security Awareness Month’?
Many people rightly question whether we need a dedicated month for cyber-awareness. After all, shouldn’t we be ‘cyber-aware’ for 12 months of the year? Whilst it is true that Cyber Security should be a board level priority all year round, having a dedicated awareness campaign can encourage businesses to ‘look a little deeper’, in order to question, analyse and improve their overall approach to securing their brand.
According to the 2021 Cyber Breaches survey, 4 in 10 businesses had suffered a cyber-attack in the past 12 months. Among the 39% of businesses that identified breaches, 21% were impacted financially, or lost data/other business assets. This UK Government report not only highlights the undiminished frequency of cyber-attacks during the coronavirus pandemic, it also confirms the need for a ‘National Cyber Security Awareness Month’ as a way of helping businesses build and promote a ‘security-first’ approach to everything they do.
The key themes of Cyber Awareness Month 2021: Do your part be #CyberSmart
The 2021 theme of NCSAM is ‘Do your part, be #CyberSmart’. But what steps can businesses take to be more cyber-smart when faced with an increasingly volatile threat landscape?
First of all, it is important to nail the Cyber Security basics. All too often, businesses become pre-occupied with the advanced technical solutions with all the Cyber Security bells and whistles, but if you are not getting the security basics right, your systems are still at risk of an attack. The basic security measures which all businesses need to follow should involve:
- Stringent update policies: Having stringent processes in place that mandate your employees to routinely update devices, browsers and applications.
- Regular back ups: Backing up critical files and systems, and storing them in a physically separate location to your corporate network. These backups must be tested to prepare for the worst case scenario.
- Data cleansing: Removing sensitive data from your internal systems when it is no longer needed, this helps to reduce the impact if you were to suffer a data breach.
- Strong business-wide password protocols: Having strong password policies and using password managers is a great way of ensuring that your employees are following security best practice. This helps to prevent recycling or using weak passwords, as many have in-built ‘password generators’ and can provide security reports to identify employees who are not following security protocols.
- 2-factor authentication: Using 2-factor authentication for all your critical applications, devices and accounts. This provides an extra layer of protection which means there is an additional hurdle to overcome if a hacker were to brute force your account.
- Vulnerability management: Regularly checking your applications for vulnerabilities, and patching them without delay.
Fight the phish
Another finding of the Cyber Security Breaches Survey 2021 is that phishing remains the most common threat vector for businesses in the UK. Out of the 4 in 10 businesses which suffered a cyber-attack during 2020/2021, 83% of these were caused by phishing. During the pandemic, the frequency and sophistication of phishing scams sky-rocketed. Unfortunately, the combination of make-shift remote working strategies and an exponential rise in phishing scams was a recipe for disaster for many UK firms.
So how can businesses avoid falling hook, line and sinker for phishing attacks?
Simply hosting an annual security awareness presentation, will not sufficiently prepare your workforce for dealing with the barrage of malicious emails which land in their inbox. Awareness training and promoting a ‘security minded’ culture, is something which should be interwoven into your company’s fabric.
The best advice we can give when it comes to reducing the risk of phishing attacks is train more frequently, and carefully read your emails to look out for signs that it could be fraudulent. Phishing awareness training exercises should be a regular fixture in your long-term Cyber Security strategy. As the threat landscape evolves, so should your approach to delivering phishing simulation campaigns. These training exercises not only help you identify the human security weaknesses within your organisation, it is also an opportunity to provide comprehensive training to reduce the risk of an employee falling for a scam in a real-life scenario.
Alongside regular awareness training exercises and remaining vigilant, there are additional steps which can help to reduce the risk or impact of a successful breach which are outlined below:
Configure email security settings
Configure your email security settings in order to detect potentially malicious or spoofed emails, this will help to reduce the amount of suspicious emails which will be successfully delivered.
Use a web filter to help detect and block fraudulent websites.
Enforce a security policy which requires your employees to regularly change their passwords for critical accounts (which should be randomly generated and not easy to brute force).
Using 2-factor authentication helps to prevent bad actors accessing accounts even if they do get access to passwords.
HTML email controls
Convert HTML emails to plain text/ block them or direct to spam inbox. Although businesses may want to use this form of email formatting for marketing purposes, HTML emails can easily contain malware, harmful content or mislabelled links.
Use anti-spoofing tools like OnDmarc and OnInbox to help protect your own domain and help identify emails which are spoofing other domains.
Network segmentation and access controls
Network segmentation and defined access controls are another important strategic control when it comes to phishing. Whilst this will not prevent an attack, it will reduce the overall damage of a breach if it were to occur. Essentially, by segmenting your network you are reducing your attack surface. It is important to ensure your workforce only have access to the systems and data they need to, and limiting the number of administrative privileges within your organisation.
Endpoint protection plays an important role in stopping a successful phishing attack in its tracks. If an unsuspecting employee is duped into clicking on a faux-link, endpoint controls can help block malware from being downloaded onto your device or launching suspicious web URL’s.
Remaining cyber-resilient in October and beyond
Whilst we must all do our part to be #CyberSmart for 12 months of the year, National Cyber Security Awareness month acts as a valuable reminder that we must remain driven by a security-first mindset to stay ahead of the latest threats. However, without an internal Cyber Security expert who can design and implement a successful, future-proof strategy, it can be overwhelming for businesses to stay ahead of the curve when it comes to cyber-attacks. As the industry is faced with a growing skills shortage, it can be difficult to find the internal resource with the required skillset or be able to pay the increasingly high salaries of expert Cyber Security professionals.
Nevertheless, there are ways that businesses can overcome the security skills gap, by working alongside expert Cyber Security partners you can reduce costs, achieve strategic security initiatives and have peace of mind that your business is following security best practice. If your business would like expert advice and guidance on how to strengthen your Cyber Security strategy, please call our office on 0121 663 0055 to speak to an industry expert.