We had such an overwhelming response to our first article, which shared industry expert opinions during Cybersecurity Awareness Month, that we’ll be publishing another few articles with more expert insights over the next few weeks.
Following on with the theme “Secure Our World,” this second article will once again explore practical, impactful advice that anyone can apply to safeguard their business, data, and personal lives.
While there’s no single solution to cover all cyber threats, these insights highlight the importance of adopting fundamental cybersecurity practices tailored to your organization’s specific needs. We asked security professionals for their top recommendations on staying secure, and their responses highlight valuable steps that can help build a safer, more resilient digital world.
Nicole Carignan, VP of Strategic Cyber AI at Darktrace
“Both consumers and organizations rely on email as a primary communication tool, so raising awareness of email-based attacks is critical during Cybersecurity Awareness Month. However, despite increasing focus on cybersecurity awareness training, email phishing remains one of the greatest threats to organizations globally.”
In fact, between December 2023 and July 2024, we detected 17.8 million phishing emails across our customer fleet. As the sophistication of phishing attacks continues to grow, organizations cannot rely on employees to be the last line of defense against these attacks. Instead, organizations must use machine learning-powered tools that can understand how their employees interact with their inboxes and build a profile of what activity is normal for users, including their relationships, tone and sentiment, content, when and how they follow or share links, etc. Only then can they accurately recognize suspicious activity that may indicate an attack or business email compromise.
While email has long been the vector of choice for carrying out phishing attacks, threat actors continue to adapt and evolve their tactics to increase the success of these attacks. For example, we’ve seen a rise in the abuse of commonly used services and platforms, including Microsoft Teams and Dropbox, for phishing campaigns in recent months. A proactive security stance that monitors anomalous activity patterns and privileged access paths is essential to stay ahead of these kinds of attacks. Consistent governance spanning all technology portfolios is now table stakes for robust cyber resilience.
The ability of attackers to use generative AI to produce deepfake audio, imagery, and video to deceive employees is another growing concern for organizations during Cybersecurity Awareness Month, as attackers are increasingly using deepfakes to start sophisticated social engineering attacks. Deepfakes are on the rise to facilitate initial access or assist in financial cybercrimes. In response, organizations will need to evolve their security awareness training from a focus on how to “spot” a phishing email to focusing on implementing layered and out-of-band verification practices for IT, help desks, security, and financial activities. In addition, we believe we will see increasing adoption of multi-layered security solutions, including multi-factor authentication, cross-domain visibility, and AI-augmented detection and response to better defend against these attacks.
Justin Kestelyn, Head of Product Marketing and Hacker Community Marketing at Bugcrowd
“Hackers are our best defenders.”
The global hacker community can, in fact, be a massive net positive for those consumers and workers and for the security teams tasked with protecting them. For example, the existence of a chronic talent shortage in the cybersecurity industry has been well documented for years. But that shortage calls the definition of the “talent pool” into question because the reality is that the hacker community is an endlessly elastic source of capacity and skills for augmenting and extending security teams on demand — if you know how to engage in a mutually trusted, productive, and scalable way.
Security leaders who can do that will have access to a “crowd cloud” for meeting almost any security testing requirement, with the results going beyond what automated tools can achieve and with all the utilization benefits of an os-a-service model. That’s a fact deserving more awareness in the security industry!
Kern Smith, VP of Americas at Zimperium
“Digital identity is one of the most valuable assets in corporate IT. Organizations continue to invest in ways to protect their user identity, from multi-factor authentication, rotating and random passwords facilitated by password managers, anti-phishing filters, and user training, to name a few. Attackers continue to innovate with new and novel techniques to ultimately gain access to a user’s identity.”
Increasingly, attackers have shifted their focus to targeting iOS and Android devices, given those devices are typically the nexus of personal and corporate identity. This is because mobile devices are where the multi-factor resides, where users keep their passwords, and where users are much more susceptible to mobile phishing campaigns due to the number of unprotected phishing avenues available to attackers, such as SMS, QR Codes, third-party messaging apps, and more that most organizations have no protections for. This does not even account for the explosion of mobile malware attacks and risks with third-party apps that could expose user credentials on iOS and Android devices.
All of this creates a landscape where the barrier to entry for attackers has lowered, and attacks have skyrocketed. No longer does it take an advanced exploit to gain valuable data, when an attacker can simply send a targeted message or link to gain access to the data they want, either through a simple Mishing campaign, off-the-shelf malware, or even abusing vulnerabilities in third-party apps, or SDKs.
Organizations must have a strategy to address these challenges. This includes the ability to identify and prevent mobile phishing attacks, detect mobile malware, and identify risks in third-party applications or device configurations that could potentially expose credentials and compromise user identity.
Jose Seara, CEO and founder of DeNexus
“Many companies know they are targets (nobody is immune to cyber attacks), but they rarely know whether they spend enough on cybersecurity and whether their protection efforts are targeted to the right places.”
This year’s theme for Cyber Awareness Month, “Secure Our World,” highlights the need for increased cyber protection in all aspects of our personal and professional digital lives, including industrial systems—the connected equipment and systems that control factory floors in manufacturing, the buildings hosting data centers, power generation sites, electricity distribution networks, or even the tarmacs and boarding areas in airports.
Given the gap in cybersecurity resources and the flattening of cybersecurity budgets, cybersecurity leaders need to take a step back and assess where to allocate scarce resources and limited budgets to achieve the greatest return on investment, which, for cybersecurity, is to reduce the probability of material cyber incidents. This starts by identifying and measuring cyber risks in financial terms, as well as the probability and severity of potential cyber incidents due to weaknesses in cyber defenses.
Philip George, Executive Technical Strategist at InfoSec Global Federal
“Cybersecurity Awareness Month this year comes on the heels of NIST releasing post-quantum encryption standards, which are designed to withstand attacks from cryptographically relevant quantum computers (CRQC).”
For several years, the cybersecurity community and government leaders have been raising awareness around the impending threat of a CRQC and the potential large-scale effort to migrate to quantum-safe encryption, recognizing there is not one area across the information technology domain that does not rely on some aspect of vulnerable classical cryptography.
Therefore, the arrival of the new quantum-safe standards is a pivotal moment. These new ciphers provide the public and private sectors with the ability to establish an effective bulwark against both present day and emerging cryptographic threats, including the prospect of a CRQC.
However, the very first step for any organization is to conduct an automated discovery and inventory of deployed cryptographic assets. This single act provides the foundation for the development of a comprehensive and effective defense-in-depth strategy that aligns with greater efforts like that of zero-trust (ZT) modernization. If an organization has not conducted an automated discovery and inventory scan in lieu of prior manual efforts, it could be implicitly accepting risk that has neither been accurately assessed nor mitigated. This can create scenarios where PQC migration execution is incomplete at best or fails to mitigate an exposed attack surface of a high-value asset.
Once a comprehensive inventory has been achieved, however, organizations will have more insight into how best to approach remediation and decide between a stand-alone effort and incorporating it within existing zero-trust modernization activities. The outcome would be a more informed ZTA plan that ensures quantum-safe cryptography is incorporated into new architecture and tools and enables effective cryptographic posture management.
This leads to the final area of consideration while planning your PQC migration strategy: agility. The concept of cryptographic agility is the ability to implement, update, change, and remove cryptographic functions from systems and applications on demand without changing the systems or applications themselves. By adopting such a model within your PQC migration plan, organizations will ensure future quantum-safe algorithms are easier to adopt and require a dramatically lower level of effort to operationalize. NIST has also initiated a cryptographic agility workstream that seeks to provide guidance and best practices around sound cryptographic agility adoption strategies for departments and agencies.
Migrating to the new post-quantum algorithms will take considerable time and effort. Aligning such activities with similar large-scale modernization efforts like zero trust will be key. This paired approach will ensure that the adoption of ZTA principles won’t be undone by continuing to rely on soon-to-be-deprecated cryptography. Cryptography is the underpinning of Zero Trust, so aligning PQC migration with zero-trust initiatives is imperative.
Kris Bondi, CEO and Co-founder of Mimoto
“Deepfakes and ransom-as-a-service have put sophisticated tools in the hands of unsophisticated bad actors. In the innovation race, bad actors have an advantage because they’re faster to adapt than many organizations.”
The only way to correct course is to focus on the core problems, not only how to improve approaches that are no longer effective. Making a password process more cumbersome doesn’t help if a bad actor comes in through a reverse shell.
To start next month more secure than today, organizations must look at what current vulnerabilities they’re ignoring. Impersonations within their system that aren’t caught and acted upon quickly are a core component to account takeovers, ransomware attacks, data extraction, and insider threats. Coupled with this should be timing and context. This enables companies to respond in real time to a breach before it is weaponized and to know what to prioritize with their likely limited resources. This will enable teams to find and stop what has already gotten into the protected perimeter before the damage is done.
Dan Ortega, Security Strategist at Anomali
“In the Age of AI, it’s all about the data – how you manage it and then take action to protect and drive your business. Unfortunately, many companies don’t have a strong data plan in place; information is coming in too fast, and with the pervasive use of AI, it has accelerated immensely – and as a result, companies tend to manage it in the most expensive, inefficient, complex, and disparate way possible.”
This creates unnecessary risk across all business operations. This includes the way that security teams approach threat intelligence data – which is often siloed and not integrated holistically across all security and IT functions.
This year, for Cybersecurity Awareness Month – I encourage security and IT teams to focus on three key areas. Firstly, auditing their Security Operations Center – to ensure that the tools in use are providing a truly comprehensive view of the business and encouraging the flow of data across systems (for instance, ensuring that teams or tools don’t silo threat intelligence data and are providing value).
Next, internal processes must be cleaned up to ensure that security technology is being used to solve business challenges, maximize talent capacity, integrate security into business, and simplify underlying processes. Finally, take a hard look at how AI is being used in your organization. Does everyone use whatever version of AI is convenient without oversight from IT? What could possibly go wrong?
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer at AvePoint
“This coming year, organizations will continue to be challenged with balancing AI innovation with secure implementation – all while navigating an increasingly complex regulatory landscape.”
The market for AI technology is moving incredibly fast, with new open-source tools being created and spread every day. In 2025, global governments will look to increase regulation around AI tools to ensure that the technology is being used ethically and safely by organizations and citizens alike. To prepare for tighter regulations around AI use and creation, security leaders should urgently prioritize the adoption of a comprehensive data strategy, including robust data management, governance, and protection policies. Effective AI implementation is only as good as the quality of data used. Everyone now needs a data strategy for AI use, whether they’re ready to implement the tech company-wide or not.
AI technology has tremendous potential for innovation, optimization, and advancement. However, bad actors will also use these technological advancements to carry out cyber attacks. CISOs and security leaders should keep in mind that security is everyone’s job in the organization. This Cybersecurity Awareness Month, all employees should take the opportunity to educate themselves on how AI is using their data, how the changing regulatory environment will affect their use of the tech, and what cyber threats pose a danger to their teams.
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
