Security Roundup: National Cybersecurity Awareness Month

It’s National Cybersecurity Awareness Month, a time to take stock of the ever-evolving threat landscape and for organizations to examine their cybersecurity postures.

The recent attack on Facebook’s computer network that exposed the personal information of nearly 50 million users is just the latest reminder that cybercriminals are relentless and succeeding. This breach was announced just over a year after last September’s massive Equifax data breach in which attackers stole personal data on 143 million Americans, including names, Social Security and credit card numbers, birthdates and addresses.

Chet Wisniewski, Sophos‘ principal research scientist, tells us the message behind Cybersecurity Awareness Month differs between individuals and consumers.

Sophos’ Chet Wisniewski

“Towards consumers, the message has largely been the same for a long time, having backups and changing your passwords, and keeping your computers up to date,” he said. “But if you look at the business side, I would say that there is a bit more of an evolution every year. I think one of the challenges is most businesses are not focused on security. It’s something they have to do, not something they want to do. Security ends up in most businesses being driven by things being hacked or regulation forcing them to do something.”

Most businesses get a “little too focused” on just the regulatory obligations and they take their eye off the ball and aren’t necessarily staying up to date with what the criminals are doing, Wisniewski said.

“The good news is that usually when there’s a big shift in attack methodology that the criminals are using, there’s a lot of media attention,” he said. “So if you’re smart enough to be paying attention to … what those things are and you start getting yourself prepared for them, you’re probably in a better position and unlikely to be a first victim. But that requires that your staff pay a lot of attention.”

As for the threat landscape, cybercriminals are focusing now more than ever on servers and people, Wisniewski said. People “can’t be patched, and that’s why we see so many phishing emails bringing things like ransomware on the desktops now,” he said.

For the last 10 years, most businesses understood the biggest thing they could do to reduce their risk was to harden the endpoints with next-generation antivirus, more and quicker patching, and getting rid of unnecessary software.

“We actually did a pretty darn good job,” he said.

“What I think we’re not doing well is realizing that if we’re doing a better job and it makes it tougher for the criminals, the criminals are simply going to go where we’re not looking; they’re going to go to the next easiest thing,” Wisniewski said. “If they can’t break in through a browser on the desktop, then it’s natural for the criminals to start looking to places where we’re not securing as well.”

The servers that are being hacked, such as those hosting e-commerce platforms, are in somewhat of a “perpetual status of partial security,” and “while we’ve shortened the time to patch on desktops, we haven’t on the servers,” he said.

“There’s such a fear of breaking reliable process that we just leave them out there partially patched all the time, and we don’t have the same layers of security to detect incidents,” Wisniewski said. “So the server side is really something we’re trying to raise awareness on. For me, it’s trying to get the administrators to recognize that these machines need to have at least the same or more security than the desktop.”

This represents a “huge” opportunity for the channel, especially with disaster-recovery plans and …