Editor’s Note: This is your weekly cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive weekly updates here.
While everything’s not coming up roses in cybersecurity land, we might be seeing signs of rosier approaches. In a recent Help Net Security article, author Sai Venkataraman reinforces the importance of building a positive security culture. His perspective is that our shame culture is the biggest roadblock to increasing security posture across industries. He says that a guilt culture and shame are prevalent today, as witnessed by data breach news and companies pointing fingers at recent ransomware attacks. Within organizations, leaders can opt for a different approach — away from scary and shaming tactics — to be more focused on the success of employees’ security posture “through individual, positive changes in behavior.”
Erasing the Stigma of Data Breaches
The shame-and-blame approach is common, echoes Sam Trendall, editor of Public Technology, who states “there is no shame in suffering a cyberattack.” In an opinion piece, he advocates for “a greater culture of openness, including a willingness to share details of attacks and the vulnerabilities exploited, would not only help remove the shame and secrecy that currently accompanies cyber incidents, it would also help bring the perpetrators to justice, and prevent future attacks.”
Could information sharing be a forward-thinking approach for organizations? MJ Shoer, CompTIA’s Information Sharing and Analysis Organization (ISAO) senior vice president and executive director comments in a recent TechRepublic article that “we need to come together if we’re going to gain the upper hand. Shoer says hackers do a phenomenal job of sharing information. “We need to be better than great.” Gartner analyst, John Collins, says more specifically, that issues related to the consumption and management of threat intelligence are valuable.
Cybersecurity Legislation Gaining Support
Meanwhile, new cybersecurity legislation is gaining support, “that would grant liability protections to groups that report breaches, going beyond the existing voluntary standards for reporting that have often hindered the government’s response in recent years,” according to an article in The Hill. The draft bill would require federal agencies, federal contractors, and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA), reports The Hill’s Maggie Miller.
Sen. Ron Wyden (D-Ore.) comments, “These voluntary approaches that have been pushed for so long have, in my view, so clearly contributed to some of the problems we have now…So we’ve got questions; we are working through them.” This is one of many bills seeing traction; others include bills aimed at securing critical infrastructure against hackers.
Why the Cybersecurity Industry Needs a Fresh Approach
In the Infosecurity Magazine article, Can You Identify and Defend Your Organization’s Crown Jewels, Uri Levy outlines why the cybersecurity industry needs a fresh approach, starting with the visibility into your organization’s system to assess, take inventory, and reduce risk. “You cannot defend what you cannot identify or see. You also cannot protect your assets effectively if you do not have insight into which assets are most valuable,” Levy states. “It is not necessarily how much you are spending but how you choose to spend your cybersecurity budget. Fundamentally, getting it right means having the tools to ensure you can identify and protect your most valuable assets.”
Six Things Small Businesses Can Do to Protect Themselves
Amidst it all, there are six things small businesses need to know about cybersecurity. Rhett Power, who writes about entrepreneurs, offers these tips in a recent Forbes article:
1. You’re not too small to be targeted. Many entrepreneurs, startup founders, and small business owners might think of themselves as minnows compared to Fortune 500 whales. They assume they’re too small to attract the attention of hackers and cyber attackers. But that’s not how bad actors see it.
2. Think of security as a business problem. Security is something that requires 100% investment and effort, not something that can be approached halfway. The truth is that the effects of an attack can be disastrous to any company’s bottom line.
3. It’s not “if,” but “when.” With the growing rate of data breaches, phishing schemes, and other cyberattacks emerging from the coronavirus pandemic, companies can no longer keep their heads buried in the sand. Assume your company will suffer a cyberattack, and remember that the detection and response are just as important as prevention efforts.
4. Identify your most critical assets. Taking a 100% cybersecurity approach might feel overwhelming to small and medium-sized business owners and startup founders, especially because many owners don’t count cybersecurity as a core competency.
5. People are your best asset — and your biggest risk. During the mass exodus out of offices and into remote work, many companies learned that end-point users (their employees) can often be the weakest links in a cyber defense strategy. Hackers will look for entry points in employee IoT devices and unsecured home networks.
6. Don’t forget about physical security. Your company’s culture around security extends beyond its digital footprint. After all, stolen devices have accounted for some of the biggest data breaches and IP theft. As workers return to the office—or even go back and forth between home office and workplace—it’ll be important to properly secure connected devices and other items.
Partner blog post of interest: Splunk: Ransomware Groundhog Day: Elevating Your Program in a High-Threat Environment