As Cybersecurity Awareness Month comes to a close, the team at Black Hat wanted to share a few recommendations and resources to keep in mind that don't only apply each October, but can be utilized year-round to help keep your online safety top of mind.
History of Cybersecurity Awareness Month
For background, Cybersecurity Awareness Month officially began in 2004 (source: Cybersecurity and Infrastructure Security Agency: https://www.cisa.gov/cybersecurity-awareness-month) and stemmed from the need to promote and increase awareness around cybersecurity. Since that time, many organizations have added this month to their companies' calendars and use this observance as a time to share reminders and refresher training courses with their teams.
Regardless of the size of an organization or the industry it exists in, it's crucial that cybersecurity remains a priority for all organizations. While the types of resources that may prove most beneficial may vary based on an organization's knowledge, needs, and size, it's important to know that a myriad of resources are available to help teams and individuals stay up to date on the latest in cybersecurity.
Cybersecurity Resources
These resources can vary from in-person events, On-Demand courses, hands-on practical labs, articles, networking groups, and even recommendations from those with firsthand knowledge of all things cybersecurity.
One specific example of an in-person event is that of Black Hat events. Black Hat events are annual, multi-day events that provide attendees with the latest in cybersecurity research, development, and trends. These events showcase content directly from the community through Briefings presentations, Trainings courses, Summits, and more. And as the event series where all career levels and academic disciplines convene to collaborate, network, and discuss the cybersecurity topics that matter most to them, attendees can find Black Hat events in the United States, Canada, Europe, Middle East and Africa, and Asia.
In addition to the in-person component of Black Hat events, attendees can also find Black Hat On-Demand Trainings available year-round, via a virtual platform. These Trainings offer flexible and self-paced learning that can be taken from anywhere in the world. To find out more about the Black Hat On-Demand Trainings that are currently available (and with more to come), please visit www.blackhat.com/trainings/on-demand.html.
As previously mentioned, helpful resources can also be found by means of recommendations. When it comes to cybersecurity recommendations in honor of Cybersecurity Awareness Month, we've enlisted some of our industry friends from Dark Reading, Omdia, and the Black Hat Europe Review Board.
For this month, they've shared their observations around Cybersecurity Awareness Month, including but not limited to recommendations they'd give to individuals and organizations, advice they'd give their younger selves about the state of cybersecurity today, recent research data on cybersecurity findings, as well as examples of any resources that may be helpful for those who would want to find out more about cybersecurity. We've placed their responses below.
Advice from Dark Reading
Fahmida Y Rashid, managing editor, features for Dark Reading, shared, "One thing that has changed about Cybersecurity Awareness Month over the years is the fact that for many people, October is no longer the first time they are hearing about cybersecurity awareness from the organization. More and more organizations are pushing out regular reminders and delivering training materials throughout the year. Many organizations are responding to recent social engineering attacks by enabling multi-factor authentication on critical accounts and services. We have survey data from our audience showing that organizations are successfully blocking, or minimizing the impact of, social engineering attacks. But even so, there is a lot we can do better. In a recent Dark Reading poll, less than a quarter of our readers said they thought their organization's security program is 'just fine as it is.' Organizations should be thinking about different ways of delivering training material, or incorporating material other than just password security and phishing training. Threats are evolving, and so should cybersecurity awareness training."
Advice from Omdia
Hollie Hennessy, Principal Analyst, IoT Cybersecurity at Omdia shared, "One of the most common cybersecurity issues for consumers is scams. As an example, in Singapore, millions of dollars are lost to scams–whether through social engineering, or malware-enabled. Scams have proliferated social media too, including Facebook, Instagram, and LinkedIn. While the government, banks, and device makers are working to address issues like this, Cybersecurity Awareness Month is a good time to think about vigilance throughout daily life. Mobile devices have put everything in the palm of our hand, even our financial transactions. Malicious applications are somewhat easier to install on Android devices than Apple–regardless, consumers should be wary of anyone telling them to download an application, especially if they are asking for payment without receiving any services."
Hennessy also noted, "Omdia's research suggests that cybersecurity maturity–at least for cyber-physical assets–isn't quite where it needs to be. Omdia's Cybersecurity Decision Maker Survey 2024 highlights [that] only 37% of organizations are confident that their business could continue to operate efficiently in the event of a cyber-physical system compromise–yet around a third do not have an adequate strategy for securing IoT [Internet of Things] devices."
Advice from the Black Hat Europe Review Board
Regarding three cybersecurity recommendations or actions they'd advise organizations and/or individuals prioritize, Daniel Cuthbert, Global Head of Security Research at Banco Santander, recommended the "adoption of MFA (multi-factor authentication), identity inventory management (what you are logging into, what authentication methods your staff are using, and whether they are all as secure as they can be [MFA, passkeys, etc.])," as well as "asking vendors for SBOMs (software bills of materials) of all the products you use. The more you know what they use, the more you can keep them on their toes."
Relating to what advice they would give to their younger selves about the cybersecurity industry today, James Kettle, Director of Research at PortSwigger, shared some advice on motivation and burnout. "There's a dangerous myth that to succeed in cyber, you need to commit every waking moment to it. If you have that kind of energy, then by all means, embrace it while it lasts, but if you try to force yourself, you'll be at risk of burning out. Don't stress if you feel this energy fading–try to understand what makes you motivated and align your work with this. Ultimately, if you have a balance of interests and don't attach your entire identity to 'success,' you'll be well-equipped to push through setbacks and challenges that would make others give up."
Kettle also maintains a guide on how to become a web security researcher, which can be found here: https://portswigger.net/research/so-you-want-to-be-a-web-security-researcher.
Anant Shrivastava, Founder of Cyfinoid Research, also shared some advice for those starting out in the cybersecurity industry. He shared, "The more you practice, the more you understand the system. Depth of understanding is what helps in overall growth," along with the recommendation that "while growing your career in infosec, [focus on] T-shaped skills: a broad understanding of a lot of topics, but a deeper understanding in one core area." He also advised that those new to the field "focus on language skills as much as [they] focus on technical skills." While the field involves technical work, it can also involve "presentations, documents, videos, blogs, and talks." With this in mind, "presentation skills (verbal or written or both) can help."
In addition to advice for those specifically starting out in the cybersecurity field, Shrivastava also shared some steps that many individuals could take now. For this, Shrivastava recommended separating "your online presence if you can: an email for personal connections, a different account for connecting with strangers, and a separate account for banking." Additionally, he recommended to opt for passphrases over passwords, as well as to utilize password managers.
For resources, Shrivastava suggested one of Daniel Miessler's blogs on building a career in cybersecurity, which can be found here: https://danielmiessler.com/p/build-successful-infosec-career.
Registration is currently open for the following Black Hat events:
To stay up to date on the latest updates from Black Hat events, make sure to visit www.blackhat.com.