This blog from Josh McCloud, Cisco National Cybersecurity Officer in Singapore, is inspired by speakers on Cisco Networking Academy’s #BeCyberSmart broadcast event in June. Time ran out for our speakers to answer the many questions posed by our virtual audience, so here is the promised blog, in recognition of October Cybersecurity Awareness Month.
With the rush to digitization under COVID, when companies and other organizations turned on systems to support employees and business continuity remotely, some of the complexity in security got outpaced by the changes being made.
Every day as a part of the Cisco Security and Trust Organization (STO) team I deal with customers who talk about the challenge of having their users in different locations using devices that could be personal or could be corporate-owned. These devices are connecting to assets, and those assets could be distributed in different locations. The complexity of managing security in this environment is the biggest challenge they face.
Mature organizations realize there is no such thing as a silver bullet in cybersecurity, it starts with leadership — setting the tone from the top and setting budgets to meet the need — and then it’s about bringing together people, process, and technology for the right effect.
Some of the processes and technology are incredibly complex: Cisco generates 47 terabytes of data per day, just from operations. From that STO extracts 4 terabytes of logs, daily, and analyzes them for any signs of things not being right. It’s complex, technical work that requires people with a broad range of skills and aptitudes. It can be exciting too.
It is also valuable work; the monetary risks from cybersecurity lapses can be immense. One attack’s estimated cost of US$10 billion was subsequently confirmed by Tom Bossert, head of the Department of Homeland Security (DHS) at the time, and in Singapore, the cybersecurity risk across the economy is estimated to be S$17.7 billion.
But cybersecurity is about more than monetary risk, it is fundamentally about unleashing the power of the internet to change the world for the better. Cybersecurity risks can hinder innovation and digitization and prevent us from pursuing a digital agenda such as improving wellbeing by enabling doctors to directly monitor patients through home-based or wearable medical devices. These are things that can make people’s lives better, but unaddressed risks around privacy or device security can delay or stall such initiatives.
The majority of our effort should be focused on making things secure by design and secure by default so that regardless of what the user does, sufficient guardrails are in place to maintain a secure state. However, we haven’t yet reached that place of integrated, effortless security and, until we do, it’s worth apportioning part of our efforts to educating users to take more secure actions.
The good news is that you don’t need to be a technical person to be cyber smart. The important thing about cybersecurity is that everyone has a role to play.
Clearly, not everybody can be a cybersecurity expert, but every user does need to be a cybersecurity sentinel — they need to keep their eyes and ears out for things that look suspicious, they need to know where to go if they find something suspicious, and they need to take basic steps to protect themselves when they go online.
This may sound complex, but there are four basic pillars to doing so: secure your accounts; click with caution; keep software up-to-date; and protect your privacy. I presented these in June on the #BeCyberSmart broadcast, but here are some of the basic principles:
1. Secure your accounts
- Use long, randomized passwords of at least 16 characters, and use a different password for each account
- Use a password manager
- Use multi-factor authentication wherever you can
- Use an authenticator app rather than SMS for multi-factor authentication
- Change your password if you suspect you’ve been compromised. Check HaveIBeenPwned to see whether your username or password has been released as part of a hack
- Use random or fake answers for password recovery security questions
2.Click with caution
- There’s no rule here. You just have to be skeptical. If you doubt the source or plausibility of an email or a link, delete it
- Don’t open attachments at all if you’re not sure, and if you do, never click on a button to load content
- Don’t click on links unless you’re certain they’re safe
- There’s a final rule that is a thread in all of these suggestions: When in doubt, throw it out
3.Keep software up-to-date
Keeping software up-to-date is one of the biggest challenges facing the industry, and even organizations can get it wrong.
- On an individual level, if you can, turn on auto update. If you can’t, check for updates regularly, and update as soon as you can
- Don’t forget to check for application updates, being cyber smart is not just about the operating system
4.Protect your privacy
Everyone has a spectrum of risk when it comes to their privacy: some people are happy to share everything about their lives on social media, while others don’t want anything shared about themselves. That’s a matter of personal choice.
But whatever you do, realize that everything that you put online – in one way or another – could be public. Post accordingly.
- Use a VPN when using public WiFi networks such as in cafes or hotels, or use your phone’s mobile hotspot
- Disable WiFi and Bluetooth to avoid being tracked
- Don’t save credit card data online, use your password manager to fill in the details
Following these four basic steps will definitely improve your online experience.
But there is more.
Investing in people and developing cybersecurity skills is the most important issue to address. Buying tools is easy, but operating those tools, and integrating them into an organization in a way that ensures security is about enabling and empowering the business, requires a certain skillset.
Cybersecurity is a broad field. Don’t think that everybody in cybersecurity is reverse-engineering malware or sitting at screens looking for alerts and chasing them down. You can go into the infosec side of the house and focus on governance, policy, putting in place the right architecture, ensuring the right controls are there. It’s a more consultative design-oriented area.
“There are so many ways you can take cybersecurity skills and bring them into the type of career and the type of work that you like to do.”
You can go into SecOps — or security operations — where they do the day-to-day monitoring. They look at threat intelligence, penetration testing, detecting engineering, and incident response. You can also focus on less technical aspects such as data protection and privacy, legal and regulatory aspects, or solution sales. There are so many ways you can take cybersecurity skills and bring them into the type of career and the type of work that you like to do.
Whether you want to learn the basics of cybersecurity, or whether you’re interested in a career in this exciting field, I cannot recommend enough the six-hour Introduction to Cybersecurity course on Skills for All with Cisco Networking Academy. I’ve been in cybersecurity for over 20 years, and I wish this were available when I was starting out. It is self-paced and free and gives a great overview of the field — it is much broader than you imagine.
Play your part, #BeCyberSmart, and your online experience will be safer and richer too.