6 minute read time

Cybersecurity Awareness Month: Keeping the “Funny” out of Cybersecurity

by Micro Focus Employee in CyberRes

It’s October! The days are cooler, the nights are shorter and the light t-shirts and comfy board shorts we’ve been wearing while remote working all summer now need to be replaced with fluffy sweaters and comfy sweat pants. And if it’s October, we also need to mention two certainties: pumpkin spice lattes and Cybersecurity Awareness Month (although, I do believe the pumpkin spice everything might be replaced by French Toast as the flavor du jour for this month, as witnessed by two fast food chains recently hyping their French Toast Sticks – but I digress.) 

Cybersecurity Awareness MonthCybersecurity Awareness Month (CSAM) was launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security in October 2004 and is an annual campaign to raise awareness about cybersecurity. We take this very seriously. So seriously, that CyberRes, a Micro Focus Line of Business, is a CSAM champion, pledging to help promote a safer, more secure and more trusted Internet and help keeps orgs out of the headlines for data breaches. 

Keeping out any “Funny Business” from Hackers

As mentioned, we here at CyberRes take cybersecurity very seriously. Data breaches and hacked accounts are not funny business... Oh wait, yes they are! 

Some hacks are just funny with no harm done, like the time someone hacked Google Maps just to show fake traffic jams on the streets of Berlin. Or that time when an official website for the Spanish Prime Minster was hacked to show a picture of beloved funny guy Mr. Bean. Or, when Fast Food joint Burger King got its Twitter account hacked, and the hackers posted tweets claiming the company had been sold to McDonald’s, and went so far as to change their name and picture to match the legendary golden arches. Then there was that time hackers got into the Deliveroo food app in London and sent out random food orders (okay, maybe the account owners got stuck with the tab, so not so harmless). 

Some hacks are just plain weird… or in the category of, who thinks these things up? A good example is when hackers used an internet-connected fish tank to steal data from an unidentified North American casino. And this is just chilling: did you know that thieves can Use Your Smart Fridge as a Door to Your Data? (BTW, I thought I saw an article a few years ago that said Beyoncé was hacked via her smart fridge but apparently that is just an urban legend, but I digress again). 

Then there are just the plain dumb ones, the hacks that, with plain common sense, could have been avoided. I’m looking at you, Lifelock Guy. If that name doesn’t ring any bells, Todd Davis, in his role of CEO for identity theft prevention company Lifelock, famously published his social security number online to tout how secure his company’s products were. He has been hacked 13 times, as of 2018. Then there was the time 25,000 gallons of fuel was stolen from gas stations around Paris because gas station managers didn't change the gas pump's default password, which was the standard ‘0000’. Hackers were able to use the PIN code to reset fuel prices and remove any fill-up limits. 

Then there are the breaches that are just funny-sad: witness Marriot suffers 3rd data breach in four years. ‘Nuff said. 

Help is on the Way

Two bills come to mind for helping beleaguered CISOs. One that is making its way through Congress aims to bolster coordination between state and local governments and the Cybersecurity and Infrastructure Security Agency (CISA). A second bill was passed by President Biden and is the Federal Rotational Cyber Workforce Program Act, made to address the talent shortage and skills gap in cybersecurity. This comes on the heels of the one-year anniversary of Biden’s Executive Order on cybersecurity

At the same time, the “American Data Privacy and Protection Act” or ADPPA is being weighed before Congress. If passed, it would implement a federal data protection standard and get rid of the hodge-podge of disparate data protection laws in a number of US States. Also noteworthy, The Office of Management and Budget just issued guidance to ensure Federal agencies utilize software that has been built following common cybersecurity practices. 

In February of 2022, CISA announced a new resource called “Shield’s Up.” It was designed to warn critical infrastructure operators and other U.S.-based organizations of cybersecurity threats spilling from overseas nation-state. In August of the same year, CISA created the Joint Cyber Defense Collaborative (JCDC) to fundamentally transform how to reduce cyber risk to our country. They offer free tools and services, including 5 Urgent Cybersecurity Actions for Executives

How CyberRes Can Help 

Here is some advice for organizations who want to stay out of the headlines for data breaches, funny or otherwise. 

Implement and periodically review access controls. Determine who has access to customer information and on a regular basis, reconsider whether they still have a legitimate need for it. Our NetIQ solutions secures organizations through a comprehensive set of identity and access services for workforce and customer identities. 

Know what data you have and where you have it. A fundamental step to effective data security is understanding your company’s information ecosystem. Conduct a periodic inventory of data, noting where it’s collected, stored, or transmitted. Keep an accurate list of all systems, devices, platforms, and personnel. Design your safeguards to respond with resilience. Our Voltage File Analysis Suite quickly finds sensitive data, classifies high-risk data, and secures data to minimize privacy risk. 

Encrypt customer information on your system at rest, in transit and in use. With the shift to remote working during the pandemic, the need to remotely access business applications and data has accelerated companies' move to the cloud. Data now flows everywhere, which means data protection must be everywhere. Companies can no longer allow users to log into cloud services and access unprotected data. To support the need for greater access to data while protecting it no matter where it resides—on remote worker systems, in cloud storage, or in third-party cloud applications—companies need to adopt modern format-preserving data protection. Voltage SecureData offers data protection that protects data over its entire lifecycle. 

Assess your apps. If your company develops its own apps to store, access, or transmit customer information – or if you use third-party apps for those purposes – implement procedures for evaluating their security. Fortify-On-Demand offers complete AppSec as a Service. 

Implement multi-factor authentication for anyone accessing customer information on your system. For multi-factor authentication, the FTC Safeguards Rule requires at least two of these authentication factors: a knowledge factor (for example, a password); a possession factor (for example, a token), and an inherence factor (for example, biometric characteristics). NetIQ Advanced Authentication gives organizations the flexibility they need to tailor the security and the user experience to the level of authentication needed. 

Maintain a log of authorized users’ activity and keep an eye out for unauthorized access. Implement procedures and controls to monitor when authorized users are accessing customer information on your system and to detect unauthorized access. CyberRes SecOps solutions such as ArcSight Recon, ArcSight, Intelligence and ArcSight Enterprise Security Manager offer proactive threat hunting and threat detection to empower your SecOps teams. 

Get Involved for Cybersecurity Awareness Month:  

There are many ways that individuals can get involved during Cyber Security Awareness Month, including:

So Happy October, enjoy your pumpkin spice or maple flavored French Toast or whatever else tickles your fancy in your shorts or your sweats depending on your local climate. But this month, as well as year around, practice good, robust cybersecurity and don’t let your org become a joke in today’s headlines.

Labels:

Security