National Cybersecurity Awareness Month is a month-long campaign observed every October and 2021 marks the 18th year since its initial conception.

Since then it has grown exponentially and has become renowned across the word, with businesses, consumers, corporations, educational institutions and young people, all taking stock of the importance of internet security and cyber security measures.

As cyber criminals took advantage of the operational changes businesses had to quickly make as a reaction to the pandemic, ransomware attacks soared with the UK being ranked number 10 on the list of countries worst affected by ransomware. In fact, four in ten UK businesses (39%) experienced a cyber security attack in the last 12 months alone, with around a quarter (27%) of these organisations experiencing them at least once a week.

With cyber attacks becoming more frequent and more sophisticated, WeAreTechWomen took a moment to speak with experts in the field to find out what businesses can do to protect themselves – here is what they had to say:

The first line of defense – employees

National Cyber Security Awareness Month 2021 is a time to reflect on the major technological and lifestyle shifts brought on by the pandemic and their security implications.

Tim Bandos, Digital GuardianFor Tim Bandos, CISO & VP Security Managed Services at Digital Guardian, cyber talent retention should be a top priority. He said: “Finding the right fit for your security team remains a daunting and somewhat challenging task in today’s world. There’s a well-documented shortage of talent across the cyber security industry dating back several years. The pandemic and the challenges it brought have made matters worse.

“When it comes to ensuring cyber talent retention, establishing the right working environment is critical to keeping people engaged and motivated to stay. Having policies to ensure there’s an effective work-life balance and offering solid benefits are important elements when it comes to employee retention. I also believe that if you have a highly collaborative and engaging team that focuses on achieving group goals and taking the time to reward and celebrate them, it goes a very long way in countering anyone’s interest in leaving.”

Providing employees with the right skillset is essential when it comes to cyber security. Don Mowbray, EMEA Lead, Technology & Development at Skillsoft commented: “In today’s digital age, companies must continuously train their employees and build a security-minded workforce that’s aware of the multitude of threats they face.”

He suggests, “leveraging blended learning mixes styles, tactics, and content delivery modalities that make for a robust, effective and tailored environment for all. In cyber security training, it can involve putting the practical skills learned to the test in controlled practice labs or gamified style attacker versus defender environments, with traditional courses and lessons layered throughout, helping learners evaluate their skills via a hands-on approach.”

The right tools for the role

All businesses operate in different ways depending on a multitude of factors such as industry, department, or compliance and regulation. It makes sense then that there is not one-fits-all when it comes to the tools each needs to support the work.

For Phil Dunlop, General Manager, EMEA at Progress, it’s about supporting the IT teams with the correct tools. “As we emerge from the pandemic, and workers start to head back to offices, IT teams continue to carry a heavy responsibility for data security. Within the working environment, employees sharing personal and private data internally and externally is a constant stress for security teams and IT operations. And the data security risks associated with social platforms like Slack, Teams and WhatsApp only add to the pressure.”

Dottie Schindlinger, Executive Director at Diligent Institute, agrees: “Open communication tools – like Slack, texting and personal email – are great for informal communication, but they don’t often provide the level of security or access privileges needed for sensitive communications between executives, the board, legal, HR, risk and compliance teams… Organisations need secure environments and workflows that allow them to communicate highly sensitive information safely, without worrying that it might accidentally be misrouted, forwarded, leaked or even stolen. And, the system must be intuitive and convenient, so executives remain within its workflows and processes without straying to other systems and creating security gaps.”

Keeping technology up to date 

Remote work unexpectedly became the norm in 2020, and as we close out 2021, the hybrid work model may be here to stay for decades to come. “Rather than retreating back to legacy methods and previous strategies, companies must #BeCyberSmart and tackle modern threats head on,” Tyler Farrar, CISO at Exabeam commented. “It’s critical to highlight that compromised credentials are the reason for 61% of breaches today. To remediate incidents involving user credentials and respond to adversaries, organisations must consider an approach that is closely aligned with monitoring user behaviour to get the necessary context needed to restore trust, and react in real time, to protect employee accounts. This should include the ability to understand what normal looks like in your network, so when anything abnormal occurs, you can immediately detect it and prevent it from causing harm or damage to your organisation.”

With ransomware on a continual rise, outsourcing to specialist providers continues to be an increasingly popular choice for businesses requiring expert security services. Andy Collins, Head of Security at Node4 said: “It can be difficult for busy internal security teams to allocate time and resources to essential, but not urgent, tasks such as identifying the most effective local or off-site backup location for each data tier, or analysing the operational impact to avoid performance degradation for systems and applications. Security MSPs can provide great aid in preventing cyber-attacks by providing technical support, filling technical gaps, and staying up to date with the latest threat and security technologies in order to resist their ever-changing nature.”

Recovery over ransom

As fending off cyber attacks becomes a daily reality, having a cyber strategy in place should be a top priority for all businesses to ensure that, should the worst happen, the business is poised to recover.

Andy Fernandez, Senior Manager, Product Marketing at Zerto, a Hewlett Packard Enterprise company said: “Ransomware attacks are evolving, targeting next-gen applications like Kubernetes and Microsoft 365. As the adoption of cloud applications grows, so will exploits and attacks and in turn the importance of restoring data. Modern organisations that are responsible for that data will need to have native data protection solutions that can help them protect internal applications and applications shipped using containers. For example, we are seeing file-less attacks explicitly targeting stateful Kubernetes data.”

Hugh Scantlebury, Founder and CEO at Aqilla agrees, “cyber attacks continue to grow in frequency and severity. Backup and disaster recovery coupled with regularly audited security measures are the best form of defence. But don’t assume that your cloud-based SaaS solutions automatically offer these services.

“Aqilla’s software does. But if you’re using cloud-based accounting and financial software — indeed, any cloud-based solution — we’d recommend you check that your solution operates from a secure and well-managed data centre. Ask your provider if they store your data in accordance with the National Cyber Security Centre’s 14 Cloud Security Principles.

“Finally, check whether disaster recovery and automated backup are taking place (and with what frequency) within your SaaS environments.”

For Thomas Cartlidge, Head of Threat Intelligence at Six Degrees, it is all about cyber hygiene. He told us: “Strong cyber security hygiene has never been as important as it is today. As workers get settled into hybrid environments it is critical your employees protect their identity while at work and at home.”

“Making cyber smart decisions that align to your wider organisational strategy is an essential element of maintaining operational integrity and ensuring success in this hostile digital landscape,” he concludes. “If you have a cyber skills gap in your organisation, you should be soliciting input from a third party to help prioritise your cyber strategy.”