October 2020 marks the 17th year that National Cybersecurity Awareness Month (NCSAM) has been held, and this year’s theme follows a trend of the Internet of Things (IoT).
Claiming that the month “continues to raise awareness about the importance of cybersecurity” globally, this year’s theme is aimed to encourage individuals and organizations “to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.”
The first week is following a theme of “If You Connect It, Protect It” aimed at reinforcing the importance of keeping connected devices secure from outside influence as we see the IoT become a more regular part of how we live and work.
Consider that the total number of IoT connections will reach 83 billion by 2024, and just this week, there were fresh reports of flaws in adult connected devices, are we really getting any better? Andrea Carcano is the co-founder of Nozomi Networks, and claimed in the face of a global pandemic, IoT connections are empowering a level of remote work like none before.
“From our own experience, we’ve seen industrial operators go from a single digit percentage of their workforce working remotely, to 52% and higher,” he said. “This deluge of internet-connected devices opens the door to a whole slew of new vulnerabilities and creates a much large attack surface.”
He claimed NCSAM is a good time to remember that it doesn’t have to take a catastrophe to spur change. Also, Greg Foss, senior security strategist at VMware Carbon Black, said the exploitation and resale of direct access into corporate networks is exploding, as attackers leverage modular and increasingly more capable malware to maximize profits. “That is why initiatives like Cybersecurity Awareness Month need to be embraced, to help organizations think about the techniques they need to put in place to combat such attacks.
“For every organization with an advanced security posture and awareness of the vulnerability of connected devices, there will be many more at the infancy of their security journey and therefore lacking this visibility,” he said. “Add to this the fact that recent events have led to millions of people working from home and inadvertently increasing the risk of a cyber-attack targeting their company’s IT network and systems and you will see that there is real cause for concern.”
After all, if IoT devices are connected to a network, it’s a potential new way into that network for an attacker to leverage. “Work devices are connected over the internet to the same wireless system that also connects to their homes’ smart devices, which are particularly vulnerable to cyber attacks,” he said, claiming “our smart homes are a cyber-attack in the waiting.”
"Initiatives like Cybersecurity Awareness Month need to be embraced, to help organizations think about the techniques they need to put in place to combat such attacks"
We’ve seen the likes of smart thermostats, fridges, coffeemakers, and doorbells become part of the standard home these days, and to find multiple connected devices is common beyond the standard mobile devices and smart televisions.
As Foss said, each of these contains a miniature, multi-purpose computer—a circuit board that operates the device. “This tiny computer has the same power and capabilities as a full desktop workstation from a dozen years ago, but is much easier to hack, as it was not designed with strong, configurable security in mind,” he said. Therefore, we fall back on to the theme of connect it and protect it.
Foss recommended ensuring only corporate-approved devices are able to connect in to the enterprise and access corporate resources, while visibility over all ingress and egress points is key, correlating the host, user, and network activities to provide context to events and ensure auditability across a variety of disparate assets.
That is all very well for corporate-owned devices, and for those working in the cybersecurity industry, but what about the average employee and user? Tony Pepper, CEO of Egress, said it comes down to risk appetite for individual users, and when it comes to taking security risks, some people have a “this won’t happen to me” mentality, while others are more cognizant of the risk but a feeling of “I just need to get my job done” prevails.
“Education and awareness, while necessary, will only get you so far with both categories of employees,” he said. “Organizations therefore need to make sure they have appropriate controls in place and, where there’s high risk to sensitive data, are providing a safety net for users that remove any ‘grey areas’ from security decision-making, so it’s not always down to them to make the right choice.”
Ultimately, this month is about raising awareness of the issues, and that is half of the battle. Adam Strange is the global marketing director at Boldon James, commented that the first week of NCSAM is looking at empowering users, and said that employees play a vital role in ensuring the organization maintains a strong data privacy posture.
“Awareness both among businesses themselves and employees that connected devices are not always secure is relatively low and therefore businesses need to tackle this head on,” he claimed, recommending businesses take the upper hand to invest in user training and education programs, and ensuring that a culture of security awareness is present and embedded “into both their actions and the ethos of the business.”
The remaining weeks of NCSAM follow the trend of IoT security, including securing devices at home and work; securing internet-connected devices in healthcare; and the future of connected devices. This all stems back to the central point that if it is to be connected, it needs to be protected.
If the average user is influenced more towards functionality and features over security and privacy, then this month is going the right way to ensuring a change of mentality over connected devices. We have a few more weeks to see if the message continues to be broadcast, and resonate widely.