Category: Guest Blog Post

Throughout 2022, we saw hackers become far more sophisticated with their email-based cyber attacks. Using legitimate services and compromised corporate email addresses became a norm and is likely to continue in 2023 and beyond.

Related: Deploying human sensors

Additionally, with tools like ChatGPT, almost anyone can create new malware and become a threat actor.

According to a recent report, small businesses (defined as those with under 250 employees) receive the highest rate of targeted malicious emails at one in every 323 emails, and 87 percent of those businesses hold customer data that could be targeted in an attack.

Another report by Vade completed last year found that 87 percent of respondents agreed their organization could take the threat from email security more seriously.

Intelligent defense

Small-to-midsize businesses (SMBs) continue to think they’re “too small to be a target.” This is  a harmful misconception. Hackers may pick SMBs over larger companies for several reasons, namely because SMBs don’t have the same budget or resources dedicated to cybersecurity as large companies.

As attacks grow in number and sophistication, these smaller organizations will need technology that tightly integrates with modern productivity suites such as Microsoft 365 and/or Google Workspace that also provides comprehensive threat intelligence.

Secure email gateways (SEGs) are a common solution used by businesses both large and small to analyze emails for malicious content before they’re able to reach corporate systems. However, with the emergence of API-based or integrated email security solutions, SEGs have become obsolete.

Over the past couple of years, organizations have been opting for API-based email security solutions for reasons including increased visibility into productivity suites, easy deployment and ability to share threat intelligence from email with other applications used throughout the business operation.

Microsoft 365 and Google Workspace are the two most popular productivity suites used worldwide. While strides have been made to make both platforms more secure, it’s inevitable that when hackers run into roadblocks, they’re going to innovate their attack methods to sneak past whatever defenses stand in their way.

Consolidated visibility

The bottom line is, security operations centers (SOCs) and MSPs need solutions that allow them to quickly investigate and respond to email-borne threats transiting through networks without any misconfigurations that could harm, or even halt business operations.

One of the major challenges our customers have voiced to us is how difficult it is to monitor and manage threats from all their endpoints. They need better visibility into their cybersecurity landscape if they’re going to have any chance of protecting their assets effectively.

Additionally, IT teams are being overburdened by managing too many complex tools. They need solutions that allow for powerful integrations but consolidate the most important threat intelligence into simple dashboards.

Products that that speed up incident response times by automating remediation are going to become hot commodities as these suites continue to increase in popularity.

Wider protection

AI-based email solutions can tightly integrate with these suites to catch threats that Microsoft 365 and Google Workspace don’t identify…and perhaps more importantly, those solutions can learn from the threats they encounter to keep similar and more advanced ones from slipping past barriers in the future.

Gendre

In 2023, we predict MSPs and SMBs will invest in tools that integrate seamlessly with productivity suites, reduce incident response times, and lighten the load on IT teams, rather than invest in solutions that solely secure email.

We also predict hackers are already one step ahead and know these tools are going to become commonplace. It’s time for businesses small and large to level up their email security solutions with tools that can learn from and predict the bad guys’ next moves – not just move suspicious emails to spam.

About the essayist: Adrien Gendre is a co-founder of Vade and serves as its Chief Tech & Product Officer.  Founded in 2009, Vade supplies AI-based cybersecurity technologies that help companies defend many types of email-borne attacks.

The decision by the House of Representatives to ban  TikTok  from federal devices is noteworthy, especially as the Chinese spy balloon crisis unfolds.

Related: The Golden Age of cyber espionage

On December 23, 2022, Congress, in a bipartisan spending bill, banned TikTok from all government devices. The White House, the Pentagon, the Department of Homeland Security, and the State Department have already banned the social media app, as have more than a dozen other states.

The Tik Tok decision combines national security, social media, and “China” in only one institution’s change of policy. It reflects the challenge that continued use of social media presents to those within the federal circle of trust.

The Chinese government, as well as other foreign powers, actively probe all aspects of American life for information useful in compromising the Republic’s national security interests. They are active not only in stealing the federal government’s data, but also doing the same in our private and public corporations.

And no one piece of information is the exclusive goal of any intelligence operation; all types of information are useful if they can be gained.

No member of the House of Representatives will be allowed to download the TikTok app on any House-issued mobile phone. This mirrors the general practice of prudent Executive Branch leaders, supervisors, managers, and employees.

Many refuse to use social media at all. It is very rare for a CIA or NSA employee to have, for instance, a Facebook account. Entering the federal circle of trust requires changes in one’s personal life. Americans of older generations were more comfortable with making these changes.

Necessary choice

Meyer

Not so much anymore. It is a choice the security community will force upon everyone seeking access, from a member of Congress down to an entry-level staff member at the Defense Intelligence Agency.

The underlying Tik Tok security concern is that the social media app can be used by a foreign power to collect intelligence or information useful in blackmailing the user into releasing classified information.

The user does not need intent to do the Republic harm; the term “unwitting fool” is used in security circles of trust for situations in which an otherwise well-meaning simpleton plays the pawn role in an intelligence operation.

Removing social media apps as a “door” to gain access to classified information denies the foreign intelligence service one means of access. But the impact is lessened if the federal leaders, supervisors, managers, and employees then substitute personal accounts for government accounts.

And while Congress controls its own security clearances, it must coordinate with the Executive Branch to gain access; if it fails to present a security-safe profile by taking actions like the Tik Tok decision, the national security establishment headed by the Director of National Intelligence for the President will just deny access. Congress collects no intelligence of its own. It is wholly reliant on the President in this federal activity.

The security profiling mechanism governing Executive Branch decisions in this area is Guideline M: Use of Information Technology. It is also used by House and Senate security personnel when they advise Members of Congress and their staffs.

Destructive access

Under Guideline M, not all social media characteristics trigger a security concern. But social media apps can be used to make an unauthorized entry into an information system; they can be entry points for the modification, destruction, or manipulation of an information system or data; they can be used to gain unauthorized access to a compartmented area used to store classified information; and they can promote negligence and lax security practices. The decision is not made to limit communication; it is made to limit theft.

McKinion

Many have been focused on the events of January 6th and the security profiles of members of Congress thought to have encouraged the protest or insurrection. But the event to focus on preceded January 6th. On the morning of October 23, 2019, members of the House of Representatives stormed the compartmented area used by the House intelligence committee to receive, view, and discuss classified information provided by the President through his intelligence agencies.

In violating the rules for handling classified information, the storming raised questions regarding the Congressional commitment to maintaining the discipline necessary to protect classified information. That same discipline is needed to not misuse Tik Tok or one’s private email. Given the question hanging over Congressional reliability, Tik Tok—and other entry points—have to go.

About the essayist: Dan Meyer, is Managing Partner of Tully Rinckey PLLC’s Washington, D.C. office. He is a member and Vice -Chair of the National Security Lawyers Association. Lachlan McKinion is a law clerk in Tully Rinckey’s Washington, D.C., office. He focuses on national security and security clearance law.

The cybersecurity profession can be very rewarding, but at the same time quite taxing.

Related: Equipping SOCs for the long haul

In fact, stress factors  have risen to where some 45 percent of the security professionals polled in Deep Instinct’s third annual Voice of SecOps report said they’ve considered leaving the industry altogether.

Ransomware is at an all-time high; attackers are as elusive as ever. Thus the job of detecting an active adversary and stopping them before they can do material damage has become extremely difficult.

Some 91 percent of respondents reported feeling stress in their security roles, of which 46 percent stated that the level of stress had increased in the past 12 months.

Productivity disruptor

A significant proportion of security pros concede that stress is negatively impacting their ability to do their daily tasks at work; this is the result of a number of variables including:

•A gap between the number of qualified candidates to fill positions and experienced staff members; skilled security personnel are often poached for higher wages and larger responsibilities.

•An overwhelming number of security alerts leading some organizations to turn off warnings altogether.

•Elusive adversaries who continually re-invent new ways to execute attacks.

•Newly discovered software vulnerabilities and misconfigurations increasingly getting exploited before the organization has a chance to fix them.

Above all, the core exposure derives from an increasing number of unknown threats, according to a Divisional Head of Cybersecurity Compliance at a global motor manufacturer:

“The number of unknowns is increasing. The criminals know their existing malware signatures can be detected, so they are constantly looking to find new ways to attack. It’s like they’ve got Harry Potter’s invisibility cloak. We can never switch off.”

Hero mentality

Senior security leaders, i.e. CSOs and CISOs, need to be able to convey the risks that their teams face, especially to board members who can easily get lost in explanations of the endless technical nuances.

And the more senior the cybersecurity role, the more stressful the job. Amongst senior security leaders, the top stress factors were:

•Securing a remote workforce.

•Digital transformation affecting security.

•The threat of ransomware.

A UK-based CISO at a large police force puts it this way:

“We are too reliant on the hero mentality – we have some people who are working 16-18 hour days at times. That’s not sustainable, and we certainly shouldn’t be expecting people to put in those kinds of shifts as a part of our capability. They’ll burn out.”

Taming complexity

Here are a few ways security leaders can work to reduce stress:

•Lower the volume of alerts and reduce false positive rates. Overworked SOC teams have difficulty focusing  on what really matters.

•Pull from resources from other departments, such as IT or even finance, to put an emphasis on securing the organization.

•Create clear goals and measurements of success; help security teams justify resource expenditures.

•Foster a culture of reward and positivity.

Crowley

There is a great amount of discussion around AI for use cases in cybersecurity. Our survey found that 82 percent of respondents would rather depend on AI over humans to hunt threats, and 53 percent agreed that greater automation is necessary to improve security operations.

However, not all AI is created equal.  While machine learning has improved automation, it does not go far enough to make significant differences for SecOps teams.

By comparison, deep learning has been proven to provide a more preventative cyber posture for organizations. This can reduce alerts and false positives, and improve detection of actual threats bypassing controls today.

Overall, deep learning has been seen to improve not just the speed and scale of cybersecurity solutions, but the welfare and impact of security teams.

About the essayist: AKaren Crowley is the director of product marketing at Deep Instinct, a New York City-headquartered supplier of a purpose-built, deep learning cybersecurity framework.

In an ideal world, cybersecurity analysts would get legitimate daily reports on improving a company’s security. Unfortunately, the likelihood of being handed unsolicited, untrustworthy advice is high.

Related: Tech giants foster third-party snooping

This is what fake bug reports are all about. Scammers now routinely spray out fake bug reports designed to take advantage of the naiveite and/or lack of vigilance of security analysts in the field.

Scammers will send reports known as bug bounties stating security vulnerabilities in a machine. The fraudster might claim it’s missing security credentials or necessary security software.

These often come as unsolicited phone calls or computer notifications and might sound convincing and well-intentioned, claiming they can solve all the vulnerabilities in the electronics if recipients buy the report.

Compounding risk

These engagements aim to extort money — and in the most severe circumstances with more advanced cybercriminal tactics — infect computers or steal data. Security analysts should be on high alert. Unless it’s someone from within an organization or part of a company’s employed team, a best practice is to second guess any experts claiming they have cybersecurity advice.

What may appear to be a legitimate cybersecurity query, may in fact be designed to flush out and exploit security in the system. Caution is the order of the day.

Amos

Fake bug reports can combine with other security threats to compound their impact. For example, they could also implement clickjacking — including false, actionable buttons or links that tempt unaware email recipients to redirect to malicious content.

Falling victim to a bug bounty can prove fatal to an organization’s cybersecurity risk assessment because accepting a deal informs cybercriminals that a company lacks security know-how. Ignorance like this invites subsequent attacks — probably in other forms — to coax more money out of the business.

These scammers are a security threat to honest, ethical hackers. They claim to be white hat hackers, which delegitimizes the services of trained and well-intentioned professionals. Companies undergoing multiple scams could eventually become distrusting of the industry entirely, developing complacency in a holistic cybersecurity strategy.

Best practices

Companies can instill bug bounty programs designed to incentivize independent white hat hackers to discover and responsibly report software vulnerabilities not on their radar. Recently, Salesforce has highlighted the issue, stating it had received over 4,000 bug reports in 2021 — so it’s invested millions in bug bounties.

As due diligence, businesses can seek the help of third parties or secure vulnerability tools to analyze the validity of a bug report. They can also formulate internal procedures for responding to vulnerability notices, such as who to contact in case of discovery and how triage looks. Training should be required to identify red flags so teams can discern between real and fake reports.

A legitimate, factual report will be specific and explain the ramifications of not adhering to the suggestions. The situations mentioned in the report will apply to particular systems in an organization, using precise terminology that aligns with a company’s established infrastructure. Vague language like “vulnerability” and “gap” to explain the issue is a tell the bug bounty is bogus.

Plus, companies can always search for copies of the bug reports online to see if the text looks like templates other businesses have received.

Another best practice is to always run bug bounty solicitations past trusted parties. No matter how knowledgeable or confident the offer sounds, the stranger is just trying to use others to exploit their own tech for a criminal’s gain. Fake bug reports are becoming rampant, and taking measures to stay safe and aware is crucial for personal and professional data.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Small and medium-sized businesses are facing immense security challenges and these are the same as those of mid-size or larger enterprises.

Related: Myths about safe browsing

Clearly, SMBs need to be alert for cyberattacks, but they also need to stay focused on their business and not sacrifice productivity.

Organizations are confronted with a severe security threats landscape, and it is critical that they have the ability to prevent, detect and respond to these threats in a timely manner. Hence, using a threat prevention and detection solution that doesn’t disrupt day-to-day operations while providing early warning and stopping potential threats before they escalate is essential.

Our dependence on technology has grown and so has the number of ways that criminals can exploit vulnerabilities to gain access to sensitive information or disrupt critical systems. Today, businesses of all sizes must be vigilant in protecting their data and infrastructure from a wide variety of threats, including malware, phishing, and denial-of-service attacks.

While the threat landscape is constantly evolving, there are a few trends that we are seeing in the modern cybersecurity landscape:

•Increased use of AI and automation by attackers.

•A shift from traditional malware to ransomware.

•An increase in sophisticated phishing attacks.

•A rise in targeted attacks against specific industries.

Threat detection solutions can be used to protect against both known and unknown threats, and can be deployed as part of a simple or comprehensive security strategy, since some of their most significant benefits for an SMB or larger enterprise are:

•Quick identification and classification of threats, allowing businesses to respond in real-time and thus reducing the chances of a data breach or other security incidents.

•Advanced analytics to reduce false positives, giving businesses peace of mind that their security systems are working as intended.

•Centralized management, which simplifies identifying and responding to threats across an organization.

Leveraging AI

The market has shifted – I am currently seeing strong demand for the ability to reduce time spent on removing threats. Hence, the advancements being done to pre-analyze data for the operator are a big shift in what the market is trying to achieve.

Kjaersgaard

There are a number of different factors that have contributed to this shift, including the rise of sophisticated cyberattacks, the growing importance of your data security, and the need for your organization to be able to respond quickly to incidents for compliance. As a result, there is an increased demand for threat detection solutions that can provide faster and actually effective responses to threats.

Moreover, one of the most important trends in threat detection is the move toward artificial intelligence (AI). AI-powered solutions are able to quickly identify patterns in data that may indicate a security breach. They can also rapidly respond to threats, often before humans even realize there is an issue.

Another trend is the use of cloud-based solutions. Cloud-based threat detection solutions offer a number of advantages over traditional on-premises solutions, including lower costs, scalability, and easier management – all of them being strong requirements from SMB-sized organizations.

Role of managed services

Finally, many vendors are now offering managed security services that include threat detection as part of a consolidated package. This can be an attractive option for SMBs that don’t have the resources to invest in their own security team or infrastructure. EDR, NDR, XDR and MDR are all great alternatives that SMBs can choose to strengthen their security posture.

For SMBs that want control in their own hands and cannot afford SIEM/SOAR solutions, Heimdal is launching a groundbreaking new technology with our Threat-hunting and Action Center, which will open up a new category in the cybersecurity market and combine four key elements under one unified roof: detection, visualization, threat-hunting, and remediation. These attributes combined with Heimdal’s solutions will enable the tool to serve as a single point of contact for risk management.

Our upcoming product is powered by Heimdal’s XTP (eXtended Threat Protection) engine to provide real-time visibility, rich intel, contextual awareness, and data to identify, protect and react to sophisticated threats, in a very easy-to-use and fast action environment.

SMBs can stay ahead of the curve. The key is effective threat detection, which requires the right tools in place for your specific environment and needs. Thus, you can leverage the latest advances in threat detection and protect your business from a constantly evolving security threats landscape.

About the essayist: Morten Kjaersgaard is CEO of Heimdal Security

As the world becomes more digital and connected, it is no surprise that data privacy and security is a growing concern for small to medium sized businesses — SMBs.

Related: GDPR sets new course for data privacy

Large corporations tend to have the resources to deal with compliance issues. However, SMBs have can struggle with the expense and execution of complying with data security laws in many countries.

Organizations with 500 or fewer employees have many positive attributes, such as their ability to make fast decisions and avoid bureaucracy that can slow down larger enterprises. But this same characteristic can also be a disadvantage, as SMBs often lack the resources and expertise to keep up with complex regulations.

Let’s look at some of the challenges faced by SMBs in today’s data privacy landscape.

Scarce resources

It’s often difficult for small businesses to invest significantly in data privacy compliance or security measures because they don’t have large budgets. In fact, many SMBs have to choose between investing in new technology and making payroll. This can make it difficult for them to keep up with the latest security measures and technologies that could protect their data or prevent a breach.

Damodaran

An SMB may not have the time or resources to properly implement the robust security policies and procedures needed to comply with numerous regulations. That means there will likely be gaps in their data protection measures that could leave them vulnerable to cyberattacks.

It should be no surprise that data security regulations are on the rise. There is increasing regulatory pressure on SMBs to protect their employees’ and customers’ sensitive data. For instance, any direct contact with European suppliers, partners or customers requires taking steps towards complying with GDPR regulations.

DPIA starting point

A  Data Privacy Impact Assessment, or DPIA, is a formal assessment of the privacy risks of your data processing activities. The purpose of conducting a DPIA is to identify and assess the potential impact of these risks on individuals’ rights and freedoms from your proposed processing operations.

A DPIA requires a thorough review of any personal data collected and stored, including who specifically controls the data and who has access at any given time. It also takes into consideration the reasons why the data was collected in the first place, and examines the reasons why personal data is stored; in short it examines  numerous parameters related to collecting and holding personal data.

Paths to compliance

By performing this type of assessment, businesses can better understand their responsibilities for protecting personal information, as well as assess their ability to do so. This should naturally lead to an SMB putting plans in motion  to achieve compliance —  by embracing robust cyber hygiene policies and procedures.

There are many kinds of tools and services that can help any SMB down this paths. The core idea is to help the company continually improve how it monitors  data flow and trains staff to be alert to cyber threats in order to identify suspicious network  activity — before it becomes a problem.

Data protection is an ongoing process. DPIAs can get an SMB off to a good start. But maintaining a security posture that not just meets compliance but effectively protects the organization over the long run is a never ending task. It’s important to continually assess security posture and take corrective action when necessary.

Neumetric helps organizations perform DPIAs as well as numerous other types of cybersecurity and cyber risk assessments, in addition to security awareness training for employees. Our services revolve around helping organizations achieve security compliances and certifications such as EU GDPR Compliance.

About the essayist: Bipin Damodaran is a Certified Ethical Hacker and a member of the security team at Neumetric, a cybersecurity vendor that helps organisations bolster  their information security by creating a secure  operating environment.

 

In golf there’s a popular saying: play the course, not your opponent.

Related: How ‘CAASM’ closes gaps

In an enterprise, it’s the same rule. All areas of an organization need to be free to “play their own game.”

And  when malware, ransomware, or other cyber threats get in the way, the focus shifts from forward progress to focused co-operation. A security strategy should clear obstacles and enable  every part of a business operation to run smoothly.

Smarter security is the rising tide that lifts all ships. As all parts of an organization overlap with security, an increase in one allows benefits in others.

Departments such as support, manufacturing, design, services, and delivery are enhanced by smart security measures, which allay distracting setbacks and increase the overall inertia. This leads to revenue gains and positive customer outcomes.

What constitutes “smarter security?” Smarter security to me broadly refers to relentlessly focusing on fundamentals while maturing the program, making sure your risk posture aligns with your business strategy.

Complexity challenge

The complexity that has abounded in the past few years has left us more connected and data-driven than ever before. Business initiatives demand faster, more efficient outcomes and technology responds. However, security – the often overlooked and undervalued visitor – is struggling to communicate across the table.

When it comes down to it, C-level goals and CISO initiatives are not all that misaligned. We all want fast, powerful, capable tools that can launch our business into the future with its best foot forward. And we all want to avoid breaches and PR failures in the process.

However, enterprises often experience a disconnect between business objectives and security guidelines. It is in this disconnect that cybercriminals find opportunity.

Reffkin

The attack surface is expanding relentlessly and exponentially, while security initiatives aren’t ingrained into every department’s daily operation. The need for reset and oversight is so great that a new class of technology is emerging to give organizations a better grip on the digital sprawl that’s come to define modern-day enterprise architecture.

Gartner refers to it as “CAASM,” or cyber asset attack surface management. The concept of focusing on your attack surface is a good place to start if struggling to find where to begin.

This smarter form of security fills a glaring gap in today’s solution-saturated market; strategy, and the strategy that can only come from getting a full view of the course.

Automated offense

Smart security also means doing more with less so the company as a whole can run lean. This means secure file transfer solutions, so you don’t waste time with slow encrypting protocols. It means anti-phishing tools so your teams can open emails without needless hesitation or risk.

It also means offensive security measures and vulnerability management so your team can fix problems before they can be exploited and derail operations.

Automating the security tasks of an organization – or hiring out when necessary – keeps those basic hygiene concerns out of mind and allows a business to perform at its best. When done right, a smarter security strategy is unseen.

As I’ve mentioned before, the issue of security is essentially a problem-solving one. These are not security problems for security’s sake. They are fundamentally business problems that rely on security to solve them.

How do we innovate and stay ahead of the competition without our speed backfiring and creating more bugs? How do we take time to manage vulnerabilities in our CRM when we’ve promised 24/7 customer care that relies on it? How can we accomplish our CEO’s vision for full process automation when we’re still transitioning to the cloud – and are unfamiliar with the security terrain?

Smarter security measures mean more subtle, intuitive, predictive solutions that can grease the wheels for whatever a fast-thinking enterprise can come up with next.

Sometimes the issue is resources. Part of problem-solving is examining the trouble spot from all angles. Managed solutions can help. Data Loss Prevention can lift the strain of vigilance and increase security in the workflow.

The overall trend is this: technology, progress, and change are driving the business objectives of today, and “smarter security” solutions are ones that can keep up, stay out of the way, and enable all aspects of a business to perform at their top level.

About the essayist: Chris Reffkin is chief information security officer at cybersecurity software and services provider Fortra. He has deep experience implementing and overseeing security strategy for a myriad of top-tier organizations.

At the start of 2023, consumers remain out in the cold when it comes to online protection.

Related: Leveraging employees as human sensors

Malicious online actors grow ever more sophisticated, making cybersecurity as big a concern for everyday consumers as it ever has been.

These days, ordinary people are facing increasing—and more complex—threats than ever before. For example, ReasonLabs researchers recently uncovered a scam that used stolen credit cards and fake websites to skim monthly charges off of unsuspecting consumers.

Because of scams like this, it is vitally important for individuals and families to be aware of their potential exposure to cybercriminals, and to take proactive steps to protect themselves.

There are many ways in which we can be exposed to potential cyberattacks. For instance, phishing, one of the most common, is a social engineering attack used to steal user data. Cybercriminals can pose as someone the victim knows and trusts, and request credit card details or login credentials.

Sometimes, they will even ask the victim to buy gift cards, which they then redeem. 2021 saw a massive increase in phishing attacks, and that trend has continued into 2022. Even events like the World Cup are being used by cyber criminals to target unsuspecting victims through things like fake streaming sites designed to steal private information.

With the rise in social media, criminals have more platforms with which to target potential phishing victims. Since many people use the same passwords across social media platforms and for sites for banks or credit cards, a criminal needs access to just one account to gain access to every account.

Even if 99% of all phishing attacks are ignored, all it takes is one successful attempt out of thousands to do serious harm. It can cost a company millions of dollars, or lead to individual identity theft and invasion of privacy.

Cybercriminals often target the young. Even if you think you’re not susceptible, your child may not be as knowledgeable. Criminals who can infiltrate your children’s device through things like ‘free’ games, ringtones or other files that hide malware, can gain access to your entire family’s devices.

With more and more people working remotely, unsecured home or public WiFi networks represent a security risk not only to individuals but to their companies as well. Since many people are now working from home at least partially, vulnerabilities at home are vulnerabilities at work, and threaten to put a company’s data at risk. Unsecured Wi-Fi in the home can present a way for criminals to gain access to secure business data.

Cyber hygiene basics

Despite all the threats, there are many ways you can protect yourself, your family, and your business. To begin with, keep all software across your devices updated to the latest version. This includes antivirus software, operating systems, and individual apps. Don’t ignore upgrade notifications—they are often for security reasons, based on specific threats from bad actors.

Be careful when using your credit card information on unfamiliar shopping sites. Make sure those sites are legitimate before handing over your money. If something doesn’t feel right, it probably isn’t.

Be aware of phishing attempts via email or text messages. Never click on suspicious links or respond to messages from senders you don’t know. Phishing attempts can be very sophisticated, so be sure to thoroughly analyze every message—including the email address that sent it to you—before you respond.

And it’s important to remember that no legitimate merchant, bank, or government agency will ever ask you for password or credit card information by text message or email, so don’t be fooled by a message that pretends to be from a store, your bank or from the IRS.

Protect your privacy by investing in tools that help protect you and your online activity. For example, it’s crucial to install an antivirus solution that automatically defends your digital devices from cyberattacks by predicting, preventing, and addressing them in real time.

Security tools and services

ReasonLabs offers an industry-leading antivirus solution, RAV Endpoint Protection, which provides a defensive bulwark against any and all malicious activity users face across their personal devices—from viruses and malware, to ransomware, phishing and other cyber risks.

Kalif

You can also invest in a virtual private network (VPN) for use when you are connected to a public network. VPNs route your data through secure servers and networks to protect your personal information from prying eyes. ReasonLabs’ RAV VPN enables users to confidentially and securely browse the internet anywhere in the world.

With so many threats out there, it may seem overwhelming. But by taking steps to protect your personal information, like keeping your software updated, and by being vigilant about clicking on suspicious links, or responding to messages from unknown sources, you can protect yourself.

Cyberattacks are getting more sophisticated by the day, and it’s crucial that you recognize some of the telltale signs of malicious activity so that you can keep yourself and your family safe.

About the essayist: Kobi Kalif is co-founder and CEO of ReasonLabs, a Tel Aviv, Israel-based supplier of advanced EDR platform services.

For the average user, the Internet is an increasingly dangerous place to navigate.

Related: Third-party snooping is widespread

Consider that any given website experiences approximately 94 malicious attacks a day, and that an estimated 12.8 million websites are infected with malware. So, in response to these numbers, users are seeking ways to implement a more secure approach to web browsing.

Generally, there are basic practices individuals can take to strengthen their cybersecurity while browsing the web. However, such prevailing rudimentary practices have fostered a degree of naivety, and certain myths have arisen about the security and effectiveness of these practices.

Implementing basic cyber hygiene practices often makes users think they’re immune to infection. This in turn makes users complacent, which allows them to be exposed to malicious malware when least expecting it.

Common misconceptions

There are a variety of myths regarding safe web browsing. Most of these have to do with preventing malware from infecting your device. Malware is any kind of software designed to interfere with your device or network, whether it’s gaining access to your protected data or disrupting your systems to bring them to a halt.

The prevailing misconceptions include:

•You can only contract malware or viruses through downloads.

We’ve been conditioned to think that by avoiding suspect attachments or downloads, we’re totally in the clear. However, you can be exposed to malware through multiple mechanisms, including by simply visiting a website. The malware on the website can test for vulnerabilities on your browser in order to infect your device. No attachment needed. 

•I only browse trusted sites, so I shouldn’t be concerned about malware infections.

Malware can be hosted on any site, no matter how secure or reputable it is. Moreover, the vast majority of malware is actually deployed on trusted websites. One study found that 75 percent of supposedly trusted websites have vulnerabilities that leave them open to malware infections.

I frequently clear my cache, so third-party data collectors can’t collect and sell my personal data.

Well, having a cache to clear out means your default browser setting is to allow cookies. The cookies are still tracking your activity across websites and gleaning data from you moment by moment. Unless you’re clearing your cache by the minute, third-party data collectors are gaining plenty of insights into your behavior. Moreover, malware and viruses can also be disguised as cookies; once they’ve infected your device, clearing your cache is useless.

•Incognito mode protects my personal information from bad actors.

Going “incognito” doesn’t actually make you incognito. For one, while incognito mode blocks cookies and browsing history records, it doesn’t hide your IP address. This means you can still be easily identified. Furthermore, once malware is installed on your device, it’s still tracking your activity and stealing sensitive information, even in incognito mode.

Steps to safe browsing

If you want to browse safely, you need to take control and inform yourself of the reality of the threats. Afterwards, you can develop realistic mitigation strategies.

Effective, routine practices to establish include frequently updating your web browser to keep pace with the latest security updates; adjusting your browser’s security settings to disable third-party cookies; and enabling multi-factor authentication to access your accounts.

Levitt

You can also utilize Google’s Safe Browsing as another tool in your security arsenal. Every day, Google scans billions of URLs looking for unsafe websites, and many of those it flags are legitimate sites that have been compromised. The safe browsing feature then works on two fronts: the search engine tells you if it suspects a website in its results is infected, while the Chrome web browser alerts you anytime you visit a potentially infected or unsafe site.

However, by using safe browsing, you’re also sharing more personal data like browsing history with Google so that the company can validate what’s safe, and this has far-reaching implications for user privacy.

A more secure way to protect your online activity and personal information is through ad block extensions; any good ad blocker also prevents data analytics, user attribution, and third-party cookies. Moreover, by not displaying advertisements on the page, ad blockers reduce the attack surface area, limiting the areas where you can be infected with malware.

In all, though, while completely safe web browsing may seem unachievable, you can implement a variety of privacy-preserving tactics and best practices to improve security and protect your data. Remember: no matter where you stand currently, you can always be a little safer.

About the essayist: Michael Levitt is the CEO of Tempest a supplier of innovative browser privacy products that ensure user safety across every touchpoint online.

The 2020s are already tumultuous.

Related: The Holy Grail of ‘digital resiliency’

Individuals are experiencing everything from extraordinary political and social upheaval to war on the European continent to the reemergence of infectious diseases to extreme weather events.

Against this unsettling backdrop, citizens, consumers, employees, and partners will look to organizations that they trust for stability and positive long-term relationships.

Not every organization knows how to cultivate trust, however, or that it’s even possible to accomplish. As a result, in 2023, specific industries that normally experience healthy levels of trust will see major declines in trust that will take years to repair. Others will buck historical trends just to simply maintain their current trust levels.

Organizations should take into account the following predictions as they plot out the next steps of their trust journey in the year ahead:

•Trust in consumer technology will decline by 15 percent.

Over the past three years, technology has proven critical to consumers’ daily lives — from remote working and home-schooling to entertainment and e-commerce. Technology firms experienced unprecedented popularity because of this.

This honeymoon is coming to an end, however; expect to see trust in consumer technology companies declining by 15 percent in 2023. Regulatory crackdowns on poor privacy practices, continued supply chain issues, and ongoing challenges in retaining talent will all impact consumers’ sentiments negatively.

When consumers trust a brand less, they also lose trust in other businesses associated with it. This is the time for firms to map their value chain, assess trust fluctuation across their ecosystem, and be ready to act to safeguard trust.

•Half of firms will use AI for employee monitoring — battering employer trust.

Iannopollo

Forrester finds that around the world, employees trust their employer more than their colleagues. For example, 60 percent of US employees trust their colleagues while 64 percent trust their employer. Expect this trend to invert by the end of 2023 as employers overstep their bounds with the use of AI to monitor work-from-home productivity.

For those that choose to collect personal information from employees to measure performance, the data is grim. In 2022, Forrester finds that 56 percent of employees whose employer collects their personal information to measure performance are likely to actively look for a new opportunity at a new organization in the next year — 14 percentage points higher than the average.

Firms seeking to lead in employee experience must eliminate outdated notions of “time spent” and instead focus on outcome-based performance measurement.

•Banks will lose consumer trust in a period of economic turmoil.

In 2022, consumer trust in banks fell for the first time in several years. Additionally, Forrester data reveals that only 54 percent of US consumers believe their bank exhibits the trait of empathy.

As the economy continues to flash warning signals, consumers’ ire and resentment toward their bank will make it even harder to earn trust. Because of this, trust will decline for most banks.

To maintain consumer trust in 2023, banks must lead with empathy and take a data-driven approach to earning trust with concrete, targeted steps that can help them navigate the cost-of-living crisis.

•People’s trust in government will increase in the US.

Trust falls when governments are no longer able to create a better future for their people. In 2023, the US will buck historical trends that saw trust shrinking by building on dependability as a core lever of trust, as well as by investing heavily in such other key trust levers as accountability, competency, and transparency. For example, President Biden’s Management Agenda is doubling down on the combined power of customer and employee experience.

•Three-quarters of Californians will have asked firms to stop selling their data by the end of 2023.

Privacy continues to be a critical consumer value. According to Forrester, 47 percent of Californian online adults have exercised their CCPA right to ask companies to stop selling their data, while 30 percent have asked companies to delete their data.

As the privacy discussion takes center stage in the US over the next 12 months — especially given the potential for new federal legislation and the enforcement of existing state-level legislation — consumers’ privacy activism will continue to grow.

Now is the time for organizations to shore up their privacy and data protection programs and require that all new products, services, and experiences are private by design.

Companies understand that trust will be critical in the next 12 months and more so than ever before. Companies must develop a deliberate strategy to ensure that they gain and safeguard trust with their customers, employees, and partners.

Measuring trust in their brands, engaging line-of-business owners and other leaders to identify key initiatives (with regional variations as necessary), and setting a realistic time frame are all fundamental steps that they must take to get started on this important journey.

About the essayist: Enza Iannopollo is a principal analyst on Forrester’s security and risk team and a Certified Information Privacy Professional (CIPP/E). Her research focuses on compliance with data protection rules, privacy as a competitive differentiator, ethics, and risk management.