The assertion that “cybersecurity is everyone’s responsibility” is one that I wholeheartedly believe in and support—so much so, in fact, that when I moderated a panel in April at the Swiss Cybersecurity Days conference, panelists and audience members echoed that sentiment and offered ways in which it can and will become a mantra for everyone.
One panelist, Mauro Vignati, an adviser of digital technologies of warfare for the International Committee of the Red Cross (ICRC), shared how the Red Cross, Red Crescent, and Red Crystal symbols signify the values of protection in armed conflict and are part of a widely accepted legal and policy framework.
While the International Red Cross symbols were conceived as a visible expression of the protection of medical facilities and humanitarian actors in the physical domain, there is no greater distinctive emblem that exist in the digital domain.
Yet, cyber operations can have significant humanitarian consequences, not least when civilian populations are particularly vulnerable to the impacts of operations that disrupt essential services, according to Vignati. A digital emblem could become a component of the protection of medical and certain humanitarian actors, performing the same functions that are performed by the physical display of the emblems.
Another panelist, Felix Linker of ETH Zurich, presented an overview of the Authenticated Digital Emblem (ADEM) concept and how it would operate in modern cyberattacks. The concept, under the auspices of Center for Cyber Trust, is in development and expected be available this summer. To learn more, read Linker’s blog post on Humanitarian Law & Policy.
There is no doubt that cybersecurity must be foundational across organizations and industries. It is, in essence, everyone’s responsibility as captured by the University of Wisconsin-Madison’s Information Technology department’s number 1 principle, “Security is Everyone’s Responsibility.”
The analogy of responding to a fire at a neighbor’s house is an appropriate example. As we become more connected, the threat vectors and vulnerabilities to attacks also increase. One common attack is “phishing,” the ever-proverbial urgent email with an attachment that invites the reader to click the attachment and bingo, you and your organization are infected.
Cyber Attacks are Becoming More Frequent and More Sophisticated
Did you know that 83% of organizations said they experienced a successful email-based phishing attack in 2021, versus 57% in 2020? That equates to a 46% increase in organizations hit with a successful phishing attack last year, according to Proofpoint’s “2022 State of the Phish Threat Report.”
Ransomware is when your data is locked up and ransomed with a threat to sell it elsewhere until you pay the miscreant organization funds to release your data back to you.
“68% of organizations were infected by ransomware in 2021, up from 66% in 2020. Nearly two-thirds of those organizations were hit by three separate ransomware infections, while nearly 15% of those experienced more than 10 separate ransomware infections.”
The attacks are becoming more sophisticated, and it is important to become cognizant of the threats both organizationally and individually.
Locking the front door of your house and assuring who has the keys for access is simply hygienic. Industries including healthcare, energy, telecommunications, finance, and manufacturing, coupled with national critical infrastructure, are just the tip of the iceberg contextually when referring to increased cybersecurity threats.
Small and medium-sized businesses (SMBs), such as your favorite restaurant or retail store, are targeted by cybercriminals. More so in 2022 than in previous years.
SMBs are struggling to defend themselves because of this. According to Ponemon Institute’s “Cybersecurity in the Remote Work Era: A Global Risk Report,” three reasons exist for cyberattacks on SMBs. They are:
- Insufficient security measures: 45% say that their processes are ineffective at mitigating attacks.
- Frequency of attacks: 66% have experienced a cyberattack in the past 12 months.
- Background of attacks: 69% say that cyberattacks are becoming more targeted.
The most common types of attacks on SMBs include:
- Phishing and social engineering: 57%.
- Compromised and stolen devices: 33%.
- Credential theft: 30%.
To compound the overall cybersecurity issue is the correlation with privacy in the form of data breaches. In a book titled, “Security + Certification,” third edition, and authored by Mike Meyers and Scott Jernigan of CompTIA, they write:
“Bad things can happen to good data, from outright loss to unauthorized access by untrusted sources. Data breaches occur when confidential information has been exposed, whether by accident or by malicious intent. Data exfiltration is a type of data breach, specifically involving bad actors and malware performing an authorized transfer of data. The impact of such data breaches and exfiltration will undermine customer confidence, impacting the organization’s reputation.”
Creating a Privacy Risk Action Plan
Simply put, if an organization’s data is leaked or stolen, privacy and moreover, trust has been broken. Understanding the various jurisdictional issues associated with privacy must be part of an overall cybersecurity, privacy risk action plan.
Privacy by design must be part of the product engineering process. A wonderful source I recommend from an industry colleague, Michelle Finneran Dennedy, and her co-authors, Jonathan Fox, and Thomas R. Finneran is their book titled, “The Privacy Engineer’s Manifesto, Getting from Policy to Code to QA to Value.”
Their book is a “systematic engineering approach to develop privacy policies based on enterprise goals and appropriate government regulations. Privacy procedures, standards, guidelines, best practices, privacy rules and privacy mechanisms can then be designed and implemented according to a system’s engineering set of models, patterns that are well known and well regarded but also presented in a creative way.”
Amid these statistics and alarms, disconnecting an organization from the Internet is certainly not viable in today’s increasingly connected world.
What Can We Do to Make Cybersecurity Everyone’s Responsibility?
This leads me to ask the question, what can we do to develop a culture of cybersecurity and privacy that is everyone’s responsibility?
I believe organizational security and privacy awareness programs are critical. I also recommend periodic testing of an organization’s overall cybersecurity and privacy acumen in the forms of simulated phishing mails and training gamification.
At Syniverse, we take cybersecurity and privacy seriously and are hiring talent to help advance the cause that cybersecurity is everyone’s responsibility. We also understand that cybersecurity and privacy are a multi-stakeholder ecosystem.
The sky is the limit of what we can all do together to develop resilient, safe processes, controls and, with training, a Syniverse culture where cybersecurity is everyone’s business. Join me in this effort and should you want to be a member of the world’s most connected company, Syniverse, please contact me.
With more than 25 years’ experience as a global technology leader, Monique is senior distinguished architect at Syniverse where her main role and responsibilities is to provide thought leadership and to help the strategic direction and vision for Syniverse’s identified emerging technologies across the company, partners and industry forum. Her specific focus areas include extensions of Distributed Ledger Technology [DLT] and other emerging components of blockchain technologies to Syniverse’s lines of business and enterprise. Emerging technology areas include DLT interoperability; zero knowledge proofs/data anonymization, trust and identity, and mobile payments.