Expert Commentary: Cybersecurity Awareness Month (October)
October 2024 by Experts
Cybersecurity Awareness Month is arguably the most important tech event of the year. It’s a time for individuals and organizations to work together to raise awareness about the importance of cybersecurity. By committing to proactive measures, together we can secure the digital landscape and foster a safer, more protected future for everyone. In honor of Cybersecurity Awareness Month, we’ve gathered insights from over 20 cybersecurity experts. Their advice and encouragement will help both organizations and individuals stay vigilant and prepared against cyberthreats.
Justin Kestelyn, Head of Product Marketing and Hacker Community Marketing, Bugcrowd
Hackers Are Our Best Defenders
This year, Cybersecurity Awareness Month is incredibly relevant for consumers and workers who need to be vigilant about the constant barrage of phishing and data breach risk.
The global hacker community can in fact be a massive net positive for those consumers and workers, and for the security teams tasked with protecting them. For example, the existence of a chronic talent shortage in the cybersecurity industry has been well documented for years. But that shortage calls the definition of the "talent pool" into question, because the reality is that the hacker community is an endlessly elastic source of capacity and skills for augmenting and extending security teams on demand — if you know how to engage in a mutually trusted, productive, and scalable way.
Security leaders who can do that will have access to a "crowd cloud" for meeting almost any security testing requirement, with the results going beyond what automated tools can achieve and with all the utilization benefits of an os-a-service model. That’s a fact deserving more awareness in the security industry!
Kern Smith VP Americas – Zimperium
Digital identity is one of the most valuable assets in corporate IT. Organizations continue to invest in ways to protect their user identity, from multi factor authentication, rotating and random passwords facilitated by password managers, and anti phishing filters and user training to name a few, and attackers continue to innovate with new and novel techniques to ultimately gain access to a users identity.
Increasingly attackers have shifted their focus to targeting iOS and Android devices given those devices are typically the nexus of personal and corporate identity. This is because mobile devices are where the multi factor resides, where users keep their passwords, and where users are much more susceptible to mobile phishing campaigns due to the number of un protected phishing avenues available to attackers, such as SMS, QR Codes, third party messaging apps, and more that most organizations have no protections for. This does not even account for the explosion of mobile malware attacks and risks with third party apps that could expose user credentials on iOS and Android devices.
All of this creates a landscape where the barrier to entry for attackers has lowered, and attacks have skyrocketed. No longer does it take an advanced exploit to gain valuable data, when an attacker can simply send a targeted message or link to gain access to the data they want, either through a simple Mishing campaign, off the shelf malware, or even abusing vulnerabilities in third party apps or SDK’s.
It is essential that organizations have a strategy to address these challenges. This includes the ability to identify and prevent mobile phishing attacks, detect for mobile malware, and identify risks in third party applications or device configurations that could potentially expose credentials and compromise user identity.
Omri Weinberg, Co-Founder and CRO - DoControl
As we kick off Cybersecurity Awareness Month, the theme "Secure Our World" feels especially timely. In today’s hyper-connected digital landscape, securing our world means securing our data - and that’s becoming increasingly complex as organizations rapidly adopt cloud and SaaS technologies. But it’s not just about corporate responsibility; individuals play a crucial role too.
The shift to remote and hybrid work has dramatically expanded the use of SaaS applications, creating new security blind spots and risks. Employees are sharing, accessing, and storing sensitive data across dozens of cloud apps, often without proper oversight. This "SaaS sprawl" has made it incredibly challenging for security teams to maintain visibility and control.
What’s more, the lines between personal and professional digital lives are blurring. Even something as simple as a social media post can open up an individual - and by extension, their organization - to potential attacks. Cybercriminals are increasingly sophisticated in how they use publicly available information for social engineering and targeted phishing attempts.
It is vital to have a comprehensive approach to SaaS security, coupled with ongoing employee education. It’s not enough to just focus on network perimeters or endpoints anymore. Organizations need granular visibility into user activities, data flows, and third-party app connections across their entire SaaS ecosystem. And employees need to understand how their online actions can impact overall security.
Securing our world in 2024 and beyond requires a mindset shift. We need to move beyond the old "castle and moat" security model to one that embraces Zero Trust principles, continuous monitoring, and individual accountability. Every access request, every data transfer, every third-party integration - and yes, even every social media post - needs to be approached with security in mind.
This Cybersecurity Awareness Month, I encourage organizations to take a hard look at their SaaS security posture and their employee education programs. Do you have full visibility into how your sensitive data is being accessed and shared across cloud apps? Are you able to detect and respond to insider threats or compromised accounts in real-time? Can you automatically enforce consistent security policies across your entire SaaS ecosystem? And crucially, do your employees understand their role in maintaining security?
By focusing on these areas, implementing robust SaaS Security Posture Management, and fostering a culture of security awareness at all levels, we can take meaningful steps towards truly securing our digital world. The threats may be evolving, but with the right approach, tools, and collective responsibility, we can stay one step ahead.
Jose Seara, CEO and founder - DeNexus:
Many companies know they are targets (nobody is immune to cyber attacks), but they rarely know whether they spend enough on cybersecurity and whether their protection efforts are targeted to the right places.
This year’s theme for Cyber Awareness Month, "Secure Our World," highlights the need for increased cyber protection in all aspects of our personal and professional digital lives, including industrial systems—the connected equipment and systems that control factory floors in manufacturing, the buildings hosting data centers, power generation sites, electricity distribution networks, or even the tarmacs and boarding areas in airports.
Given the gap in cybersecurity resources and the flattening of cybersecurity budgets, cybersecurity leaders need to take a step back and assess where to allocate scarce resources and limited budgets to achieve the greatest return on investment, which, for cybersecurity, is to reduce the probability of material cyber incidents. This starts by identifying and measuring cyber risks in financial terms, the probability and severity of potential cyber incidents due to weaknesses in cyber defenses.
Philip George, Executive Technical Strategist, InfoSec Global Federal:
Cybersecurity Awareness Month this year comes on the heels of NIST releasing post-quantum encryption standards, which are designed to withstand attacks from cryptographically relevant quantum computers (CRQC). For several years, the cybersecurity community and government leaders have been raising awareness around the impending threat of a CRQC and the potential large-scale effort to migrate to quantum safe encryption, recognizing there is not one area across the information technology domain that does not rely on some aspect of vulnerable classical cryptography. Therefore, the arrival of the new quantum safe standards is a pivotal moment. These new ciphers provide public and private sectors with the ability to establish an effective bulwark against both present day and emerging cryptographic threats to include the prospect of a CRQC.
But the very first step for any organization is to conduct an automated discovery and inventory of deployed cryptographic assets. This single act provides the foundation for the development of a comprehensive and effective defense in-depth strategy that aligns with larger efforts like that of zero-trust (ZT) modernization. If an organization has not conducted an automated discovery and inventory scan in lieu of prior manual efforts, they could be implicitly accepting risk that has neither been accurately assessed nor mitigated. This can create scenarios where PQC migration execution is incomplete at best or fails to mitigate an exposed attack surface of a high value asset.
Once a comprehensive inventory has been achieved, however, organizations will have more insight into how best to approach remediation and decide between either a stand-alone effort or to incorporate within existing zero-trust modernization activities. The outcome of which would be a more informed ZTA plan that ensures quantum safe cryptography is incorporated into new architecture and tools and enables effective cryptographic posture management.
Which leads into the final area of consideration while planning your PQC migration strategy: agility. The concept of cryptographic agility is the ability to implement, update, change, and remove cryptographic functions from systems and applications on demand, without changing the systems or applications themselves. By adopting such a model within your PQC migration plan, organizations will ensure future quantum safe algorithms are easier to adopt and require a dramatically lower level of effort to operationalize. NIST has also initiated a cryptographic agility workstream that seeks to provide guidance and best practices around sound cryptographic agility adoption strategies for departments and agencies.
Migrating to the new post quantum algorithms will take considerable time and effort. Aligning such activities with similar large scale modernization efforts like zero-trust will be key. This paired approach will ensure that the adoption of ZTA principles won’t be undone by continuing to rely on soon to be deprecated cryptography. Cryptography is the underpinning of Zero Trust, so aligning PQC migration with Zero Trust initiatives is imperative.
Dan Ortega, Security Strategist, Anomali
In the Age of AI – it’s all about the data – how you manage it, and then action it to protect and drive your business. Unfortunately, many companies don’t have a strong data plan in place; information is coming in too fast, and with the pervasive use of AI, it has accelerated immensely – and as a result, companies tend to manage it in the most expensive, inefficient, complex, and disparate way possible. This creates unnecessary risk across all business operations. This includes the way that security teams approach threat intelligence data – which is often siloed and not integrated holistically across all security and IT functions.
This year, for Cybersecurity Awareness Month – I encourage security and IT teams to focus on three key areas: 1) auditing their Security Operations Center – to ensure that the tools in use are providing a truly comprehensive view of the business, and encouraging the flow of data across systems (e.g. ensuring that teams or tools don’t silo threat intelligence data and is providing value), 2) Cleaning up internal processes to ensure that security technology is being used to solve business challenges, maximize talent capacity, integrate security into business and simplify underlying processes, and 3) take a hard look at how AI is being used in your organization. Does everyone use whatever version of AI is convenient without oversight from IT? What could possibly go wrong?
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint
This coming year, organizations will continue to be challenged with balancing AI innovation with secure implementation – all while navigating an increasingly complex regulatory landscape. The market for AI technology is moving incredibly fast, with new open-source tools being created and spread every day. In 2025, global governments will look to increase regulation around AI tools, to ensure that the technology is being used ethically and safely by organizations and citizens alike. To prepare for tighter regulations around AI use and creation, security leaders should urgently prioritize the adoption of a comprehensive data strategy, including robust data management, governance, and protection policies. Effective AI implementation is only as good as the quality of data used – everyone now needs a data strategy for AI use, whether they’re ready to implement the tech company-wide or not.
AI technology has tremendous potential to be used for innovation, optimization and advancement – but on the other side of the coin, bad actors will also be using these tech advancements to carry out cyber-attacks. CISOs and security leaders should keep in mind that security is everyone’s job in the organization. This Cybersecurity Awareness Month, all employees should take the opportunity to educate themselves on how AI is using their data, how the changing regulatory environment will affect their use of the tech, and what cyberthreats pose danger to their teams.
Jason Scott, CISO, Sectigo
A study conducted by the A. James Clark School of Engineering at the University of Maryland, there are more than 2,200 cyberattacks per day, which equates to one attack every 39 seconds. This means that we have around 800,000 cyberattacks per year. To put this in relative terms, there were only 11 major battles during the Vietnam War and 20 major battles during World War II, both lasting multiple years. Obviously, there were many more minor skirmishes unaccounted for. Still, the point is that we are being (cyber) attacked daily with no pauses or time to recover. It has become cliché, but the statement still holds; "we have to get it right 100% of the time, but the adversaries only have to get it right once".
Getting it right matters. Cybercrime is predicted to cost the world $9.5 trillion in 2024 and the global average cost of a data breach in 2023 was $4.45 million per incident, a 15% increase from the previous three years. If we don’t get it right, not only does the business lose, but as we all know, costs are passed onto the consumer or taxpayer when governments are involved.
We must be vigilant in our cybersecurity journey and can’t afford to get the basics wrong. The basics are those core IT and security functions that must be done in every organization regardless of size and budget. Some include using strong passwords stored in fully encrypted password managers, using multi-factor authentication on all applications, rigorous anti-phishing training, and ensuring software and systems are patched.
These "basics" sound simple and are not difficult to implement, but we (IT, Security teams, and the Business) routinely fail at it. We tend to focus on the fancy new tool, the shiny new dashboard, quarterly profits, or even the latest analytical application. Yes, these are important and have their place, but we should ensure we have the "basics" down to protect the business so it can focus on profit and growth. Using patching as an example, if we can patch our prioritized vulnerabilities promptly, we reduce our threat landscape, which, in turn, offers attackers fewer doors and windows into our environment. The term may seem a little dated, but defense in depth is a solid method used to defend our often-porous environments. Using multiple levels of security, such as strong passwords, multi-factor authentication, resilience training, and patching strategies, makes it harder for threat actors, so they tend to move to another target with weaker defenses.
Dena Bauckman, Senior Vice President of Product, Sectigo
In the 21st year of the Annual Cybersecurity Month, I can’t help but think that the themes for this year seem the same ones we have been talking about for years: use strong passwords and a password manager, turn on multifactor authentication, recognize and report phishing, and update software. So why after all these years are we still having to remind everyone to do these? I am convinced that in both our personal and professional lives, we are all trying to move so fast that we don’t do the simple things we know we should. These four themes are basic security measures, but they do take time to implement. I was once told that "sometimes you need to slow down to speed up", and I think that is the case here. Taking the time to setup a password manager and creating strong and unique passwords across all accounts and combining that with multifactor authentication (MFA) on all systems, would greatly reduce the compromised accounts that are part of so many attacks. With AI improving the effectiveness of phishing emails, we all need to slow and think about who is sending us an email and why. And with the constant release of new software updates, we need to take the time to implement the updates and, wherever possible, automate the updates. If we can slow down long enough to implement these basic themes, we can go faster by spending less time recovering from cybersecurity attacks that should never have happened.
John Anthony Smith, CSO and founder - Conversant Group
At the start of 2024, the Identity Theft Resource Center (ITRC) reported a 490% increase in data breaches in the first half of the year compared to the same period in the previous year. As the frequency of attacks continues to rise year over year, the focus must shift from "what if it happens" to "how do we respond when it happens". While awareness and breach resistance are important when it comes to cyber-attacks, recovery is even more critical.
In an increasingly digital world, robust recovery capabilities are not just a safety net but a strategic advantage and a tactical MUST. The actions taken before [survivable, usable, and timely recoverable backups] and after [verified, tested, and readied brownfield recovery] a breach are what truly matter to reduce the costliest impacts—business interruption. By taking thoughtful and decisive steps, you can regain control and minimize damage and business disruption. Here are some proactive steps to consider:
Assess your recovery capabilities for survivability, usability, and timely recovery against the technical realities of threat actor behavior [what they are willing and able to do]
Ready your environment for secure brownfield recovery, and test it often!
Create a detailed incident response plan that outlines the steps to take immediately after a breach and test it!
Invest and constantly realign recovery and resistance capabilities to what threat actors can, will, and are doing [in breach].
Ready your incident response partners: Know your contacts, Know their Processes, Have the contract pre negotiated, Incorporate them into your IR plan, and Test your interactions with and through them.
Organizations deserve the peace of mind that comes with assured recovery when the breach occurs. By investing in an assured recovery program that prioritizes resiliency and recovery, organizations not only take a proactive approach to cyber protection, but also gain a competitive edge. This approach ensures business continuity, minimizes downtime, and protects valuable data and assets.
Kris Bondi, CEO and Co-founder - Mimoto
Deepfakes and ransom-as-a-service have put sophisticated tools in the hands of unsophisticated bad actors. In the innovation race, bad actors have an advantage because they’re faster to adapt than many organizations. The only way to course correct is to focus on the core problems, not only how to improve approaches that are no longer effective. Making a password process more cumbersome doesn’t help if a bad actor comes in through a reverse shell.
To start next month more secure than today, organizations must look at what current vulnerabilities they’re ignoring. Impersonations within their system that aren’t caught and acted upon quickly are a core component to account takeovers, ransomware attacks, data extraction, and insider threats. Coupled with this should be timing and context. This enables companies to respond in real-time to a breach, before it is weaponized, and to know what to prioritize with their likely limited resources. This will enable teams to find and stop what has already gotten into the protected perimeter, before the damage is done.
Danny Brickman, CEO and Co-Founder, Oasis Security
Non-Human Identities (NHIs) such as service accounts, tokens, access keys, and API keys, are fundamental components of modern business operations across all sectors and industries. However, NHI management is often neglected, which leaves organizations vulnerable to severe cyber threats. Recent high-profile breaches that stemmed from the exploitation of NHIs underscore the criticality of properly managing and securing NHIs.
October is Cybersecurity Awareness Month, a time dedicated to prioritizing cybersecurity best practices and shoring up cyber defenses. With traditional identity & access management solutions and best practices rendered obsolete, and NHIs proliferating every day, the industry needs solutions to properly secure this massive attack surface.
Now is the time for enterprises and midmarket organizations alike to incorporate comprehensive NHI management into their security and identity programs. Core best practices for managing NHIs include:
Maintain a comprehensive and up-to-date inventory of all NHIs within the organization
Understand the business context and owners of each NHI
Apply the principle of least privilege
Monitor the environment continuously to detect and respond to suspicious activities involving NHIs
Define governance policies and implement them via automation
Prioritize secret rotation
Decommission stale and orphaned service accounts
Non-human identity management (NHIM) is a security, operational and governance challenge. To effectively address it, organizations need a purpose-built enterprise platform that solves all three. Successful NHIM requires not only discovering NHIs in real time and without prior knowledge of them, but also understanding their individual business context (usage, consumers, owners, authentication methods, entitlements, resources, risk factors, behavior, etc.). In order to achieve this, modern NHI management solutions must be able to ingest vast amounts of data from a wide range of sources (audit logs, IDP, Vaults, DSPMs, ASPMs, etc.) and continuously analyze it with advanced AI/ML, LLMs and behavioral analytics techniques.
Cybersecurity Awareness Month is a good reminder to invest in the right tools and best practices to protect against evolving threats and uphold security in a dynamic digital landscape.
Narayana Pappu, Founder and CEO at Zendata
"As AI becomes central to business operations, it also introduces significant security risks, such as concerns about unauthorized data usage, AI model hacking, and training data leaks. Protecting sensitive and proprietary information is critical and requires strategies like maintaining a clear data bill of materials and ensuring that AI models are trained only for intended purposes.
To mitigate these risks, deploying AI systems on-premise or in Virtual Private Clouds (VPCs) can offer better control, while domain-specific and smaller language models reduce exposure. Role-based access controls, data fingerprinting, and ensuring training data remains sealed to its rightful owner are essential for preventing data leakage and external threats.
Strong security measures are crucial to safeguard AI systems and sensitive information as AI evolves."
Doug Murray, CEO, Auvik
Last year, CISA announced that the enduring theme for all future Cybersecurity Awareness Months (which occurs each year in October), would be "Secure Our World." This theme evokes the sentiment that security is a shared responsibility between individuals, businesses and governments alike. Even within a specific organization, security is a shared responsibility.
Consider the issue of infrastructure sprawl – both CISOs and CIOs are purchasing and managing tools that support either cybersecurity objectives or serve a particular IT function. A big concern here is the cybersecurity risks involved in infrastructure sprawl, as the proliferation of tools and vendors has gotten out of control for many IT teams.
Another increasing area of risk is shadow IT and shadow AI, which involves the use of IT systems, devices, software, and services without explicit approval from the IT department. SaaS shadow IT is probably one of the biggest hidden risk factors that IT leaders face today, particularly at a time when employees are experimenting with emerging AI tools. Most people who utilize shadow IT tend to think that they’re just using a productivity tool. However, organizations have found shadow IT adoption can open vulnerabilities.
In purchasing a combination of different tools – some that provide multiple functions and others that are point solutions – companies easily end up with huge overlaps. For example, it’s common for a company to have multiple firewall providers operating within their network all at the same time. This is not only redundant but could actually be introducing even more cybersecurity risk to the business unnecessarily. How can we manage some semblance of consolidation to drive up efficiency and lower costs? Every vendor that gets added for more firewall or endpoint security protections introduces new security concerns in terms of business process integration and daily IT management. What’s needed is a network management platform that gives us a federated view of everything that IT uses for its daily processes, systems, and management. Business leaders must then work together to determine which tools to keep and which they can do without, in order to reduce sprawl and overall risk exposure.
Victor Monga, Global Cybersecurity Technologist, Menlo Security
The internet has become such a big part of our everyday lives, and most of us don’t even realize how much we rely on it. Whether we’re shopping online, paying bills, or even closing million-dollar deals for work, most of these activities now happen in our web browser. It’s like the front door to everything we do online. But with that convenience comes risk. The same browser that lets you order groceries or work from home can also be a target for cybercriminals trying to steal your money, your identity, or even your work. It’s no longer just about protecting your bank account—it’s about protecting everything that matters to you.
Here are a few things that can happen if your digital security is compromised:
Identity theft: Hackers can use your personal information to open credit cards or take out loans in your name.
Loss of privacy: Cybercriminals can access your emails, personal messages, and sensitive files.
Job security risks: If you work from home or on the go, your job might be at risk if your company’s data is stolen through your browser.
Family safety: Your kids’ information can also be at risk, leading to identity theft or unwanted exposure to harmful content.
To protect yourself online, there are some simple but powerful steps you can take to keep your information safe. One of the most important things you can do is always use multi-factor authentication (MFA) whenever possible. This adds an extra layer of security by requiring a second form of identification, like a text message code or an app confirmation, before accessing your accounts. It’s also smart to validate any requests for money or signatures—if you’re about to transfer funds or sign an important document, double-check with the person or organization first, especially if it seems urgent or unexpected. Keeping an eye on your financial well-being is just as important, so make sure you review your credit card statements regularly for any suspicious activity.
Here are a few other things you can do to protect yourself:
Keep your PC and all software up to date: Regular updates help patch security vulnerabilities that hackers could exploit.
Only install software from trusted sources: Avoid downloading anything unless you’re certain it’s safe and from a reputable company.
Be mindful of what you post or click on online: Remember, once you post something or click a suspicious link, it’s often a one-way street. Visiting websites with fake coupons or offers could lead to malicious actors tracking your activity or worse—hacking into your system and ruining your day.
By following these steps, you can significantly reduce your risk of becoming a victim of cybercrime and protect not just your finances, but your personal life and privacy as well. Another essential way to protect yourself is by freezing your credit, which makes it harder for identity thieves to open new accounts in your name. You can call the three major credit bureaus—Equifax (1-800-685-1111), Experian (1-888-397-3742), and TransUnion (1-888-909-8872)—to request a credit freeze. It’s free, and it helps stop any new credit accounts from being opened without your permission. It’s a simple but effective way to secure your personal information. Stay vigilant and cautious—it’s better to prevent an issue than to fix it later!
Darren Guccione, CEO and Co-Founder, Keeper Security
October 2024 marks the 21st anniversary of ’Cybersecurity Awareness Month’. However, over the past two decades, as we’ve witnessed a surge in cyber attacks and the continued emergence of new and evolving threats, it’s become increasingly clear that awareness alone is not enough. A recent survey revealed that a staggering 92% of IT and security leaders have reported an increase in cyber attacks year-over-year.
It’s time for us to move from awareness to action.
So, how can we transform Cybersecurity Awareness Month into Cybersecurity Action Month? The key lies in prioritizing straightforward, yet often overlooked, cybersecurity best practices.
One effective strategy is deploying a Privileged Access Management (PAM) solution, which enhances security by controlling access to sensitive systems and data. This reduces the risk of unauthorized access and data breaches, and minimizes the impact of a breach if one occurs.
Additionally, creating strong, unique passwords for each account remains a critical first line of defense against unauthorized access. Utilizing a password manager can significantly improve security by generating and storing high-strength, random passwords for every website, application and system. Strong and unique passwords help prevent the domino effect in which the compromise of one account leads to further unauthorized access.
When selecting a password manager, look for providers that offer transparent security architecture, zero-knowledge and zero-trust infrastructure, and hold certifications like SOC 2, ISO 27001, 27017 and 27018, as well as FedRAMP Authorization. This ensures the highest level of protection for your sensitive information.
Don’t get hacked. This Cybersecurity Awareness Action Month, let’s commit to proactive measures and adopt fundamental cybersecurity practices to significantly reduce our vulnerability to cyber threats.
Boaz Gorodissky, Chief Technology Officer, XM Cyber
Cybersecurity Awareness Month serves as a reminder to organizations that protecting critical assets requires a much more comprehensive approach to exposure management. Organizations typically have around 15,000 exposures scattered across their environments that skilled attackers could potentially exploit, and yet, CVE-based vulnerabilities account for just a small percentage of this massive exposure landscape. Even when looking only at exposures affecting their most critical assets, CVEs represent only a small part of the risk profile. While organizations are focused on patch management and vulnerability management to address CVEs, the maturity to mobilize teams and remediate issues such as misconfigurations and weak credentials is low, leaving organizations exposed.
This disconnect between the traditional cybersecurity focus and the real-world threatscape demands a paradigm shift in security strategies.
This Cybersecurity Awareness Month, organizations should use the opportunity to ensure a comprehensive and proactive approach to cybersecurity. They should ensure they get a continuous and complete view to secure all critical assets (on-prem and cloud), to holistically safeguard their digital assets in today’s increasingly-complex threat landscape.
Rob Rashotte, Vice President, Global Training & Technical Field Enablement at Fortinet
Since 2004, the U.S. government and the cybersecurity industry have recognized October as Cybersecurity Awareness Month. This collaborative effort between the government and the industry generates discussion on cyber threats and enhances cybersecurity awareness with the goal to Secure Our World. Looking at the cyber landscape in 2024, the cyber skills gap continues to be a top concern.
The challenge is twofold: too few cybersecurity professionals in the field, and a lack of adequate skills for those in IT and security positions. We’ve seen the real-world impact of this skills gap: 58% of respondents to Fortinet’s 2024 Cybersecurity Skills Gap Global Research Report revealed that insufficient skills and a lack of properly trained IT/security staff are the prime causes of breaches, and 70% of respondents revealed that the cybersecurity skills shortage creates additional risks for their organization.
The stakes are high for organizations when it comes to cybersecurity. Breaches take a financial toll, disrupt business operations, and erode customer and partner trust. Closing risk management strategy gaps, including prioritizing skills development and proper staffing, is vital to protect any organization.
At Fortinet, we’re dedicated to helping address the cyber skills gap head-on by providing training and certification programs and security awareness training to help organizations cultivate a more cyber-aware workforce. We’re on a mission to build a diverse and skilled workforce and empower the next generation of cybersecurity professionals with the training and tools they need to succeed, including a 5-year span pledge to train 1 million people in cybersecurity by the end of 2026 as part of this commitment.
Collaboration across the public and private sectors to address these challenges is key, including initiatives like Cybersecurity Awareness Month. Together, let’s take action this October, tackling the cyber skills gap and increasing cyber resilience.
Patrick Harr, CEO, SlashNext Email+ Security
The explosion of AI in recent years has made it easier for cybercriminals to execute effective phishing scams and other attacks on users. As a result, we’ve seen a dramatic increase in attacks across various communication channels such as email, SMS, social media platforms, collaboration tools like Slack and Microsoft Teams, messaging apps like Signal and WhatsApp, as well as voice and video calls. There has also been growth in the use of 3D phishing—a sophisticated approach where cybercriminals target victims through multiple channels to establish credibility, instill urgency, and enhance their chances of successfully deceiving the target. By combining multiple modes of deception across different channels—such as starting with an email request and then following up with a phone call or a message—the attackers can launch very believable scams that are hard for the average person to detect, allowing them to bypass traditional security measures.
Cybersecurity Awareness Month is a reminder that the methods used by cybercriminals continue to evolve, making it imperative for organizations to have the resources and plans in place to prevent these attacks before they result in data compromise and other security concerns. To stay one step ahead of these sophisticated tactics, organizations must adopt a multi-faceted defense approach, which includes utilizing AI to combat AI-based scams. Even with continuous training to help employees recognize the hallmarks of email and message-based scams, many are still unable to evade complex schemes like 3D phishing. However, while humans may struggle to recognize these threats on their own, AI-based security platforms can detect unusual activities associated with 3D phishing attempts.
Ratan Tipirneni, President and CEO of Tigera
Cybersecurity Awareness Month highlights the importance of implementing stronger defense mechanisms that protect organizations and citizens from increasing cyber crime. Kubernetes and containerized environments underpin digital innovation and are at the core of modern application development. While these environments boast significant advantages, offering scalability, efficiency, and flexibility, they are also subject to various security risks. This includes vulnerabilities, misconfigurations, network exposures, and both known and zero-day malware threats. The distributed nature of microservices, the dynamic scaling of workloads, and the ephemeral nature of containers introduce unique security challenges.
Traditional approaches to risk assessment whereby vulnerabilities, misconfigurations, and threats are identified and prioritized in isolation - and each generates its own set of alerts and priorities - are insufficient for the unique nature of Kubernetes. To effectively protect your Kubernetes environment, it is essential to adopt an interconnected security approach that accounts for how these risks interact. Many security risks are associated with specific services. By understanding the relationships between services, security teams can better assess the potential blast radius of risks if left unmitigated. This will enable more accurate and timely risk assessment, prioritization, and mitigation.
This Cybersecurity Awareness Month, organizations should work to deploy tactics that help evaluate risks holistically and implement controls such as default-deny network policies, workload isolation, IDS/IPS and WAFs. These tactics will reduce their risk of exploitation, limit lateral movement in the event of a breach, and block known threats before they can manifest.
Nicole Carignan, VP of Strategic Cyber AI at Darktrace:
AI
"As AI systems become embedded into the tools and processes organizations depend on every day, AI safety must be a critical focus during this year’s Cybersecurity Awareness Month. Simply put, trustworthy and reliable AI cannot exist without strong cybersecurity.
Cybersecurity leaders must be embedded in an organization’s AI journey from the beginning to ensure AI is deployed in ways that keep it reliable and secure. We must focus on applying cybersecurity best practices to protect models and invest in safeguards to keep AI systems protected at all stages of the AI lifecycle, to avoid unintended behaviors or potential hijacking of the algorithms. That includes securing the environment in which the AI models are deployed, ensuring the models are continuously monitored and protected, and putting in place processes and procedures to ensure they are used safely and appropriately.
Organizations must also integrate AI training and awareness into broader cybersecurity awareness programs– ensuring employees understand the different use cases for AI, and how to use those to their advantage without introducing risk, such as unintentional data leaks, inaccurate use cases, or privacy violations. A large portion of AI safety is AI security and data security. Training should continue to emphasize secure, safe and compliant access and use of data, especially in interacting with models and produced synthetic data."
Cyber
"Both consumers and organizations rely on email as a primary communication tool so raising awareness of email-based attacks is critical during Cybersecurity Awareness Month. However, despite increasing focus on cybersecurity awareness training, email phishing remains of the greatest threats to organizations globally. In fact, between December 2023 and July 2024, we detected 17.8 million phishing emails across our customer fleet. As sophistication of phishing attacks continue to grow, organizations cannot rely on employees to be the last line of defense against these attacks. Instead, organizations must use machine learning-powered tools that can understand how their employees interact with their inboxes and build a profile of what activity is normal for users, including their relationships, tone and sentiment, content, when and how they follow or share links, etc. Only then can they accurately recognize suspicious activity that may indicate an attack or business email compromise.
While email has long been the vector of choice for carrying out phishing attacks, threat actors continue to adapt and evolve their tactics to increase success of these attacks. For example, we’ve seen a rise in the abuse of commonly used services and platforms, including Microsoft Teams and Dropbox for phishing campaigns in recent months. A proactive security stance which monitors anomalous activity patterns and privileged access paths is essential to stay ahead of these kinds of attacks. Consistent governance spanning all technology portfolios is now table stakes for robust cyber resilience."
"The ability for attackers to use generative AI to produce deepfake audio, imagery, and video to deceive employees is another growing concern for organizations this Cybersecurity Awareness Month, as attackers are increasingly using deepfakes to start sophisticated social engineering attacks. Deepfakes are on the rise to facilitate initial access or assist in financial cybercrimes. In response, organizations will need to evolve their security awareness training from a focus on how to "spot" a phishing email to focusing on implementing layered and out-of-band verification practices for IT, help desks, security, and financial activities. In addition, we believe we will see increasing adoption of multi-layered security solutions including multi-factor authentication, cross-domain visibility, and AI-augmented detection and response to better defend against these attacks."
Venky Raju, Field CTO, ColorTokens
When a cybersecurity breach makes headlines, the finger often points straight at humans. High-profile incidents like the SolarWinds attack, where human error was cited as a key factor, the recent 23andMe breach blamed on users’ weak passwords, or Uber’s MFA fatigue incident—all reinforce the narrative that humans are the weakest link in security. While there’s some truth to it, I believe it’s not the whole story. The real issue isn’t human incompetence. It’s the complexity of the systems we expect people to navigate. Alert fatigue, overly complicated user interfaces, and an endless stream of warnings all contribute to burnout. Combine that with limited budgets and staffing, and it’s no wonder mistakes happen.
Instead of piling more responsibilities onto users, we need to rethink our approach to cybersecurity.
Rethinking Authentication: Passwords are a prime example. We tell people to use complex, unique passwords, change them frequently, and never reuse them. Password managers are supposed to help, but even they aren’t foolproof. The LastPass breach raised concerns about relying solely on these tools since they can become single points of failure.
Embracing Passwordless Technologies: By adopting passwordless technologies like passkeys or biometric authentication, we can enhance security and simplify the user experience. Passkeys use public-private key cryptography, allowing users to authenticate using their devices’ built-in capabilities.
Reducing Alert Fatigue: Cybersecurity professionals face an overwhelming number of alerts daily, many of which are false positives. This constant barrage leads to alert fatigue, where genuine threats might be missed. Our reliance on detection and response technologies like Endpoint Detection and Response (EDR) contributes to this overload. While valuable, they shouldn’t be our only defense.
Proactive Security Measures: By adopting proactive security measures, we can reduce alerts and ease the burden on professionals. Techniques like microsegmentation compartmentalize the network, limiting threat spread and reducing the attack surface. By fortifying networks from the start, we prevent threats from reaching users in the first place. This approach lessens the reliance on human vigilance and reduces the chances of error due to fatigue or complexity.
This Cybersecurity Awareness Month, let’s shift the narrative. Too often, we find the easy victim—users—when the real issue lies in the systems they’re forced to work with. As responsible technologists, it’s our duty to simplify their lives, not complicate them.
It’s time to stop expecting users to be perfect and start designing systems that support them better. After all, security is a collective responsibility, and technology should be an enabler, not an obstacle.
Damon Tompkins, President, Pathlock
As we observe Cybersecurity Awareness Month, it’s essential to highlight the importance of identity security in protecting our digital environments. Identity security involves safeguarding individual and system identities within an organization from unauthorized access or malicious exploitation. This includes implementing robust identity and access management systems, which control who has access to what within the organization, and continuously monitoring these identities to detect and respond to any unusual activity. By ensuring that every access request is verified and validated, identity security acts as a critical defense against potential security breaches.
Prioritizing identity security helps organizations enhance their security posture, protect sensitive information, and comply with regulatory requirements. Effective identity security practices, such as adopting a Zero Trust model, ensure that every access request is scrutinized, regardless of its origin. This approach not only safeguards data but also supports operational efficiency by ensuring that users have the appropriate level of access at all times. As we navigate an increasingly digital world, robust identity security measures are more crucial than ever in defending against cyber threats and maintaining a secure and compliant access environment.