Contact

An Interview on Prioritizing Cybersecurity Awareness

banner image

 

Today’s business leaders are experiencing a higher urgency for cybersecurity than ever before, but the demand will only continue to increase as digital transformation progresses across industries from enterprise to SMBs. For National Cybersecurity Awareness Month, we sat down with TenFour Business Analyst Oluwatayo (Tayo) Adekanye to talk about the current cybersecurity landscape, essential awareness skills, and best practices that all businesses should be implementing.

Tayo works within TenFour’s Product Management team to adeptly build, maintain, and enhance organizational processes around various networking and communications services. With a master’s degree in engineering management, Tayo recently completed a post-graduate certification program in cybersecurity with Simplilearn, featuring curriculum from MIT SCC, EC-Council, Certified Ethical Hacking, and CompTIA Security+.

 


 

Q: Given your experience in business technology and your knowledge of security, what insights can you share with us on how to be more cyber aware in today’s digital world?

Tayo: General security awareness seems so simple, but it’s extremely important. Take, for example, simple actions like not using the same password for different websites and never using easily crackable passwords. I read a stat recently that claimed there are about 3 billion passwords on the dark web that have already been hacked. If you think about that, considering there are less than 5 billion internet users worldwide, 3 billion is a lot of passwords.

Cybersecurity awareness starts with the basics—the things we can control, like what passwords we create for our devices. It also ensures employees know the common mistakes that lead to breaches. First, it’s important to make sure that you don’t use passwords that can be easily cracked. Second, try as much as possible to use different passwords for different platforms. For example, your password to access your work email shouldn’t be the same as your password to access your personal email or any other accounts, such as social media. Those are the little mistakes that hackers can use to socially engineer people to crack passwords and gain access to important information.

 

Q: Maintaining several complex passwords for all the devices and platforms we use seems so daunting. How can we build stronger passwords and actually remember them?

Tayo: People tend to use very simple passwords, like the numbers 123456, or many people use their birthdays or the names of their kids. These can be relatively easy to figure out by a very good hacker who does their homework.

One way to build difficult passwords is to use acronyms for sayings or songs. For example, take the song “I Have a Dream.” A password from that song can be IHaDr, taking the first letters of each word in the song title or verse. Then add a random number that could be anything from the model number of your laptop, the model year of your first car, or the model of your grandma’s first typewriter. Something that’s a bit harder to figure out than your birthday.

There are different password-generating mechanisms available, and there’s also some password managers that you can use. Software applications can help you generate passwords and store them in a secure place. I’m personally not too comfortable with those options because they usually generate random combinations of letters and numbers, which can be hard to memorize, and I like to know all of my passwords by memory. But there are tools available for anyone who wants to better secure their information.

Too many people don’t pay enough attention to security tools like passwords, which is part of why we get so many cybersecurity incidences. According to an IBM report, 95% of cybersecurity incidents are due to human error. So, really, humans are the weakest link in cybersecurity. That tells us how important it is to make sure we’re always aware of security challenges and the actions we need to take to ensure our systems, networks, and devices are secure.

 

Q: Is cybersecurity just as important for SMBs as it is for enterprises?

Tayo: Yes, there’s been an increase in ransomware attacks in the last year and many of them have targeted small to medium sized companies. Just like large enterprises, it’s important for companies like ours—as we fall into that category—to make sure that our systems are secure and our applications and software are updated when patches are released.

One of the reasons that software companies like Microsoft release patches is to fix bugs. And some of those bugs are security related; so a patch is released that addresses the flaw or vulnerability in your system. That’s why it’s very important that, when we see those patch updates, we take the time to make sure that our systems are up to date. The same thing is true for your iPhones and Android phones. Many of the updates that are released include security patches that address discovered vulnerabilities to make our phones more secure.

Of course, you can’t stop all hackers from doing what hackers will do. The best you can do is to control what you have power over and always be security conscious. You can control your passwords and how you assign them to different platforms. You can control whether your systems and devices are up to date when patches and updates are released. And to some extent, you can influence the security awareness of your coworkers and employees as well as the overall security posture of your organization.

 

Q: In terms of controlling employee cyber awareness, should those who don’t work in technical roles still be trained in cybersecurity?

Tayo: Yes, because cybersecurity involves people, processes, and technology. There are non-technical aspects of cybersecurity such as understanding the basic threats to your devices and systems and how to prevent those threats from becoming an attack. Additionally, employees in non-technical roles may have access to and work with a company’s proprietary data. Anyone with authorized access to data (technical and non-technical) needs to have basic awareness of the importance of securing those assets.

Furthermore, hackers make use of malware that infiltrates point A when the real target is point C in the network. Point A could be an email to a non-technical employee with a phishing link. If that link is clicked, the malware gains access to the network and works its way to point C, encrypting all the company files and potentially becoming a ransomware attack. Regardless of role, all employees should have the basic cybersecurity awareness to know not to click unfamiliar links and to report links they don’t recognize as spam. 

 

Q: What additional general awareness skills are essential besides knowing about password strength and phishing attempts?

Tayo: Another part of being cybersecurity aware is knowing about social engineering. I saw this incident that happened recently at Kanye West's listening party in Atlanta, where someone used social engineering to hack the security system and get into the event. Not only was he able to get into the event unauthorized, but he was able to get very close to Kanye at center stage and take a picture. Afterward, he posted on social media about how he was able to bypass the security protocols that were put in place for that event by using Photoshop to create and print an ID that disguised himself as a photographer. He was then able to get through all access points, breaking all of the security protocols without the security staff knowing.

Now that’s just a physical example of a security breach. A similar thing happens in cybersecurity. Hackers track a target, go through their social media profile, and gather as much information as possible about them. If the hacker’s lucky, that person shares a lot on social media and they can gather a lot of information. Then they use that information to try to break into that person’s systems or even their company’s system.

There’s been a couple of cases like that in the news, where hackers were able to gather information on a target through social engineering and use it to get into their systems and do damage. So it’s really important that we are aware of these tactics as well. Again, you can’t always stop hackers from doing what they will do, but we can all practice good cyber hygiene. 

 

Q: Why do you think there’s been such an increase of cybersecurity incidents over the years? It seems to keep getting more and more prevalent. Is it indicative of companies not prioritizing cybersecurity, or are there not enough cybersecurity experts in the workforce?

Tayo: Incidents have increased due to the increase in technology products available today, some of which are novel. IoT devices are embedded with sensors, software, and other technologies that connect and exchange data over the internet. These products undergo security testing before release, but sometimes companies prioritize certain features that pose higher security risks with the plan to release software patches and updates for future bugs and vulnerabilities. In other cases, users simply don’t operate the devices properly, which creates room for attack. And hackers keep finding new ways to attack systems and compromise networks.

Companies do take cybersecurity seriously now, more than ever, especially considering current data and privacy regulations. A company found negligent in the event of a significant breach not only suffers reputational damage but financial loss as well. This has motivated a shift with more organizations including cybersecurity as part of their business objectives at an organizational level and not just something the IT department handles.

The increases we’ve seen in cyber incidents has been across industries, but it’s even happening in the interactions between countries. A lot of countries are moving away from physical conflict toward cyber conflict. And with the May 2021 Executive Order on Improving the Nation’s Cybersecurity, the U.S. government realizes they need to reinforce the protection of critical infrastructure and government networks underlying the economy and way of life. This initiative should spark a deeper interest in cybersecurity and investment in the education and training of cybersecurity professionals. The goal is to have enough trained professionals, policies, and technology to adequately minimize threats and significantly reduce the frequency of cyberattacks within the next three to five years.

We need cybersecurity professionals to combat the new threats and challenges that will emerge in the next couple of years, as we now live in a world where threat actors realize that if you can damage a country’s critical infrastructure through cybersecurity, maybe crippling the economy for a couple of hours, it can create a huge impact without firing any bullets or dropping any bombs. This implies that any national or regional cyberattack can have significant effects on businesses and everyday life. 

 

Q: There were a few big security breaches in the news this year, like the Colonial Pipeline and JBS Foods. Do you think a lack of emphasis on cybersecurity is to blame for these?

Tayo: It’s tough to say a lack of emphasis on cybersecurity is to blame because we don’t have all the details and information about the attacks. I think with breaches like the Colonial Pipeline, because it’s so important to the critical infrastructure of the country, it becomes a very high target for attack for both state actors and hacking syndicates. Since the pipeline is so significant, the hackers know they might be able to get ransomware in event of an attack. 

Through modern digital transformation, industrial systems have now been integrated to networks with internet connectivity and then interconnected with other systems. With that comes increased security challenges, because once you start to connect a device or system to the internet or a different network, you automatically open it up to new vulnerabilities and threats that may not have been fully prepared for.

Another reason for these breaches could be that hackers thought to attack organizations whose main focus might not be cybersecurity. We could assume the Colonial Pipeline’s main concern is getting fuel products from one destination to the other, considering the high dependency on their products and the need to ensure economic and day to day life is not disrupted. A company like JBS is focused on food safety, supply chain, and inventory.

In fairness to the victims of security breaches, sometimes there’s very little that could have been done to prevent the attack. It could be the attackers used superior tools to carry out the attack, or maybe the vulnerability wasn’t due to negligence or error on the victim’s part. It is now best industry practice to assume an attack will happen. In the event an attack happens, organizations need to have a disaster recovery plan ready to quickly redirect resources to restoring systems and data. This disaster recovery plan should be embedded in the organization’s business continuity plan. 

 

Q: Regardless of industry or company size, what action items should companies prioritize to protect against security breaches and potential ransomware attacks?

Tayo: I can narrow it down to three things. Like we said earlier, 95% of cybersecurity breaches are down to human error. It’s incredibly hard to completely mitigate against human error, but the first thing you can do is have security awareness training for all staff. I would suggest training every quarter but, depending on the department, it could be every month.

Secondly, always test your systems for vulnerabilities. This could be done every day or every month depending on the policy of the company. Whatever the frequency, make sure you’re regularly testing your systems and keeping them up to date. If any vulnerabilities are found, make sure you address them as soon as possible.

The third action item is making security part of your organizational strategy. One of today’s biggest assets is data. You want to make sure that your data is always secure, and ensure the data that is meant to be private always stays private. Instill checks, balances, and controls to make sure systems and data are always secure. Most importantly, this has to be pushed from an executive level in the organization and not just from the IT department.

As hackers become more and more advanced, you don’t want to leave any room for an event to happen. However, if an attack does occur, having a disaster recovery plan will help to ensure business operations can continue at optimum levels. Even with an IT department that has internal controls and trainings, everyone within a company needs to do their part. It’s far better to prevent an incident altogether than try to stop an attack once it’s already begun. 

 


 

All things considered, general but effective cybersecurity awareness is really about the basics. We all need to be vigilant in keeping abreast and aware of the cybersecurity environment. In the fight to keep your company safe and secure, have you implemented the following action items?

  1. Conduct general security awareness training for all employees on a quarterly basis.
  2. Regularly test your systems for vulnerabilities and keep them updated.
  3. Make cybersecurity part of your organizational strategy at the executive level.

 


Copyright © 2021 TenFour | Written by Laura Ambrosio | Photo by Matthew Henry

Like What You Read?


Stay current on TenFour's IT industry insight by subscribing to the Access Point blog or connecting with us on LinkedIn, Twitter, and Facebook. To learn more about TenFour, visit the ”Our Service” page or contact us.

How Data Analytics Enhance the Remote Work Experience