THALES BLOG

Cybersecurity Month Checklist: Fortify Your Digital Defenses

October 24, 2024

Chris Harris Chris Harris | Associate VP, Sales Engineering More About This Author >

October is Cybersecurity Awareness Month, an international initiative that educates everyone about online safety and empowers people and businesses to protect their data from malicious actors. As tales of devastating data breaches and cyberattacks litter the headlines, the month reminds us that there are simple, effective ways to stay safe online, protect data, and ultimately help “Secure Our World” - the theme for this year’s event.

It also reminds us that with increasing cyber threats, organizations in every industry must prioritize robust security measures. Here are a few steps all businesses can take to do just that.

No Passwords, No Problem

Traditional passwords are often the weakest link in the security chain and are responsible for a surprising number of breaches. Attackers often exploit stolen or weak passwords to gain unauthorized access, so companies must adopt stronger authentication methods as a matter of urgency.

Passwordless authentication methods are making passwords obsolete, as they use biometric identifiers (like fingerprints or facial recognition) or hardware tokens. Passkeys, for instance, use cryptographic keys instead of passwords and provide a secure way to authenticate users.

Moreover, passwordless solutions improve security by minimizing the potential attack surface that passwords create, including phishing, brute-force attacks, and password fatigue. By implementing passwordless authentication, businesses can significantly lower the risk of credential theft and improve UX through frictionless authentication.

Sometimes, More is More

Because data is a critical asset for any organization, it’s a prime target for cybercrooks. Data encryption turns data into ciphertext that can only be read by those with access to a secret key, ensuring that it cannot be stolen, altered, or compromised. Yet, as quantum computing evolves, alongside employing encryption, businesses must also become crypto-agile—capable of adapting their encryption methods to meet post-quantum cryptography (PQC) demands.

Crypto-agile means that entities should scrutinize their current encryption strategies and be prepared to transition to new cryptographic algorithms that can withstand quantum attacks. Regularly updating encryption protocols ensures that data remains secure and compliant with evolving standards, such as the first three post-quantum encryption algorithms released recently by NIST.

Also, organizations should consider implementing a layered encryption strategy, encrypting data at rest, in transit, and during processing to provide overarching protection. Being proactive about encryption helps safeguard sensitive data against current and future threats.

Fix It Before They Find It

Vulnerabilities in software applications expose organizations to significant risks. Eight of the top 10 data breaches of 2023 were related to application attack surfaces, enabled by 25,059 recorded CVE vulnerabilities. These eight breaches alone exposed almost 1.7 billion records. Malefactors exploit these vulnerabilities to gain access to sensitive data, so regular application patching is critical for maintaining security.

A systematic patch management process keeps software and applications updated with the latest security fixes. Entities should prioritize patching known vulnerabilities, monitor for newly discovered threats, and automate patching wherever possible. Being proactive is the best way to mitigate the dangers of outdated software.

Besides patching, businesses should harden their ecosystem of applications by using web application firewalls to stop advanced attacks on hybrid and cloud-native environments and enable them to protect applications anywhere.

Behind the API Curtain

Application Programming Interfaces (APIs) facilitate communication between different software applications. However, they can also endanger the business if not properly managed. Companies must discover and inventory their APIs to understand where, by whom, and how they are used, as well as their potential vulnerabilities.

Once APIs are identified, strong authentication methods for API traffic are necessary. These might include token-based authentication, OAuth, or API gateways that enforce strict access controls. Regularly monitoring API traffic for anomalies can help root out potential attacks before they escalate. This is essential, as stated in Imperva’s State of API Security Report, 46% of all Account Takeover attacks targeted API endpoints.

Rate limiting and input validation can also help prevent API abuse and mitigate risks such as data exfiltration and distributed denial-of-service (DDoS) attacks. A comprehensive API security strategy keeps APIs functional and secure, facilitating seamless integration without compromising security.

Bots Behaving Badly

Bots are increasingly being used for both beneficial and malicious purposes. While many bots serve legitimate functions, such as automating processes, some are designed to carry out (automated) cyberattacks, including data scraping, credential stuffing, and DDoS attacks. Concerningly, bad bots account for nearly a third of all internet traffic, at 32%, with their volume increasing for the fifth consecutive year.

To protect against bad bots, entities should consider bot management solutions that can separate the wheat from the chaff to distinguish between legitimate and malicious bot traffic. Strategies might include using CAPTCHAs, monitoring traffic patterns, or harnessing the power of machine learning to identify and block suspicious activity.

Organizations should also regularly analyze their bot traffic to pinpoint trends and tweak their defenses accordingly. Understanding the evolving tactics of malicious bots is the first step to bolstering defenses and protecting digital assets from sophisticated attacks.

AI Fairness Begins at Home

As artificial intelligence (AI) becomes mainstream in businesses and is increasingly used for decision-making, the data used in these models must be governed properly. Data governance involves establishing policies and practices to ensure data quality, privacy, and compliance.

In the context of AI, organizations should pay special attention to the fairness of their algorithms. This means ensuring that training data used to develop AI models is representative and free from bias. Also, regularly auditing AI systems for bias and implementing transparent decision-making processes helps mitigate risks and build stakeholder trust.

AI outputs must be continually monitored to identify any unintended consequences or biases that could happen over time. A robust data governance framework is the first step towards enhancing the fairness and accountability of AI systems, ultimately leading to more ethical and trustworthy outcomes.

Stay Ahead of Attackers

As Cybersecurity Month encourages us to consider the importance of securing digital assets, organizations should adopt these simple best practices. This will help them protect themselves from the never-ending flood of cyber threats and fuel trust and confidence among their stakeholders.

As we observe Cybersecurity Month this October, let us commit to making cybersecurity a fundamental aspect of organizational culture.