Who’s Responsible for Your Security?
Antivirus, malware protection, email security, EDR, XDR, next-generation firewalls, AI-enabled analytics – the list of protective controls and vendors appears to go on forever. Each day, bad actors discover new attack vectors that provide them with new roads to create chaos and destruction. News of data leaks, breaches and exposures has reached the point where it leaves most people numb and apathetic. How many of you have received free “identity monitoring” services due to the release of some aspect of your personally identifiable information (PII) into the wilds of the internet?
One would be too high a number, let alone the billions of accounts compromised over the years.
There are now over 100 digital accounts for every single physical user; for business users, that number can grow exponentially. Every one of those accounts is another opportunity for exposure. Every account adds more and more copies of us online. We continue to act as if the physical and digital worlds exist independently, yet they are already entirely entwined. There is no ability to separate the ramifications of events in the digital world from affecting our lives in the physical one.
If a credit card is compromised in the digital world, the effects are felt in the physical. If a crypto wallet is compromised in the physical world, the effects are seen in the digital.
There was a time when data breaches were the headline news on every channel. Now, the most likely places to read about breaches are in the financial section or tech websites. We have become desensitized to the compromise of our accounts and identities – it’s happened so often that we have forgotten how valuable that privacy is. Everything from financial information, Social Security numbers, medical data and biometrics, along with every conceivable piece of information nobody would want to be released, is all out there. Unlike passwords, keys or tokens, much of this data can never be changed. There is no modifying historical PII, no changing medical records or biometrics – once compromised, always compromised.
The Expanding Threat Landscape and BYOD Policies
The push for Bring Your Own Device (BYOD) policies has expanded the attack surface beyond the perimeters of businesses and turned employees into potential attack vectors.
The global BYOD market reached 64.6 billion dollars in 2023 and is expected to grow to 198.2 billion dollars by 2032, with a compound annual growth rate (CAGR) of 13% between 2024 and 2032. There was a time when access to most corporate networks required a minimum of a VPN; now, in this new cloud-blended world, an OTP is needed… (sometimes). Security practitioners and vendors will scream from the rooftops about advanced persistent threats (APTs) and how ransomware and extortionware can only be stopped by their product of the week. Companies have changed their stance on security to the demand for progress, deadlines and results.
The attacks are just going to keep coming, so sustaining from moving off the grid and abandoning all technology and modernizations, most will look to the next shiny solution to take care of their security. What software must be purchased to protect individuals, families, businesses and governments? Is it the new AI-enabled scanner or the latest updates from the antivirus? Who should get the blame in the event of a compromise or exposure of personal data?
Bells and whistles features rarely equate to additional protections and security. Why not start by looking in the mirror?
The Role of Security Solutions and Personal Responsibility
Collectively, we have all left the job of protection to something or someone else. The digital world we all navigate is filled with digital pitfalls at every turn. Holding to the old castle and moat methodology and “Keeping all the bad guys out” no longer works.
The vendor should have protected me…
The ISP should have been watching…
The firewall should have blocked it…
The supply chain was hacked…
You’re compromised. At this point, does it matter?
I have said for years that security is a team sport – it’s not something that can be done alone. Security starts with self, maintaining constant awareness of one’s entire identity, both physical and digital. Awareness of how a single compromise can cause multiple levels of collateral damage. Attacks are the culmination of one control failure after another. An employee’s device is compromised, allowing attackers to compromise BYOD and access corporate resources.
Using the hotel WiFi is easier than using the slow speed on my hotspot…
There are actions that everyone can take to improve their security viability, from the simple act of turning off WiFi when not in use to staying on top of application and operating system updates. Each act of prevention helps to stop the propagation of malicious code. As the world faces new threats like deep fakes and artificial intelligence, we need to be reminded that our identities and privacy are the most important things in the world and be willing to fight for them. We must stop accepting that breaches and leaks are just “Part of doing business.”
Five Practical Security Tips for Business Protection
To help enhance your organization’s security posture, consider implementing these five practical tips designed specifically for business environments:
1. Always turn off WiFi on mobile devices when outside the range of your WiFi network. This stops WiFi-based attacks that can compromise the device, leading to access to corporate assets in BYOD.
2. Stay up-to-date with security and application updates. Keeping your devices updated closes vulnerabilities that have been discovered and can be exploited to gain access to devices or data.
3. Use a VPN whenever accessing the internet from untrusted networks. Untrusted or public networks can allow attackers to port scan any devices on the network. If applications are not updated, bad actors can take advantage of known vulnerabilities. Additionally, VPNs provide secure encryption between the device and the internet, meaning any sniffed communications would be unusable by adversaries.
4. Carefully review permission requests for all applications before installing. Yes, scrutinize those end user license agreements (EULAs). Many applications, especially mobile apps, may ask for permissions unrelated to their function. For example, why would a game need access to contacts and phone history? Both Apple and Android regularly audit applications for over-reach of permissions.
5. Utilize antivirus and anti-malware on all devices, including mobile and desktop. All connected technology is susceptible to attack: desktops, servers, laptops, mobiles, IoT, Windows, Mac, Linux – you name it. Taking advantage of protections, even on devices that may not be the most targeted, will provide an additional layer of defense and should be used wherever possible. Most would never connect a laptop to the internet without complementary controls – all connected devices are targets.
Who’s ultimately responsible for your security?
You are.
Len Noe is CyberArk’s resident Technical Evangelist, White Hat Hacker and Transhuman. His book, “Human Hacked: My Life and Lessons as the World’s First Augmented Ethical Hacker,” releases on Oct. 29, 2024.
Editor’s note: To hear from Len about his transhuman identity, his bio-implants and his journey from black hat to ethical hacker, you can listen to his new Trust Issues podcast guest appearance in the player below and on most major podcast platforms.