Q&A: Advice during this National Cyber security month

As October is National Cybersecurity Awareness month, we spoke to  Tim Helming, director of product management at DomainTools, about the most prevalent security threats facing businesses.

What is your number one piece of advice for companies to consider this National Cybersecurity Month?

To make every single employee part of the security team. Turn the liability (of users who click on phishes, etc) into an asset - they are your sensor network, and like any sensor network, the better-tuned they are, the better they’ll be at picking up signals that could be incredibly valuable in preventing, detecting, or analysing breaches.

No matter the size of your company, you are still at risk. What can SMBs do to adequately prepare their organisations for a potential breach?

See above - that’s something that can be done in a company of any size (but it would be easier in terms of scale in an SMB than in a very large enterprise). Also, while technology doesn’t eliminate all of the holes and risks, it does help. SMBs should become educated on the various security systems out there and deploy tools carefully. A lot of SMBs find the multi-function appliances (UTM or NGFW) helpful in this regard, since they can combine a lot of functions with only one UI to learn.

Also—LOG EVERYTHING! Storage is cheap, and bandwidth is good enough to make it practical to keep logs from firewalls, servers, spam filters, etc. These can be very valuable if a breach is known or suspected. It’s a really tough spot to be in if you think something’s wrong but don’t have data to help you find it.

From both the hacker and business perspective, why are cyber scams like phishing and ransomware more successful and prominent than ever before, and how can we expect these trends to continue, going into 2017?

Because they work, unfortunately. A very wide spectrum of malicious activity, from opportunistic mass phishing campaigns (like “419” scams) to highly-targeted Business Email Compromise spear phishes, have succeeded, over and over.

Phishing is dramatically easier to accomplish than crazy advanced hacking techniques such as stealing data by listening to variations in CPU fan speed (which is actually a thing!). I hope that one of the 2017 trends is that users become smarter about detecting phishing. If you look at a lot of the headline-grabbing breaches, a huge percentage of them had a phish as part of the sequence of events. If the user who got that phish had not fallen victim, a great deal of damage may have been prevented.

With the U.S. government appointing its first CISO, how will this impact corporate decisions to follow suit and prioritise similar roles within their companies in 2017?

Honestly I’m not sure it will have a big impact. Companies’ governance is going to be driven much more by their internal priorities and objectives than by the creation of this nationwide office.

This isn’t to diminish the value of the US CISO, but think about it this way: if the impacts of the breaches we’ve seen in 2016 (and prior) isn’t enough to push companies to bake strong security into everything they do, I don’t think the existence of the US CISO is going to do it.

Image Credit: Pavel Ignatov / Shutterstock