Beyond the annual reminders and heightened focus on cyber hygiene during Cyber Security Awareness Month, new threats are emerging, spurred by the rise of AI-powered cyberattacks and increasingly sophisticated phishing tactics. Experts in the field argue that simply being aware of these dangers is no longer enough—action, innovation, and real-world preparedness are what will define the future of cybersecurity.
Phil Hay, Research Manager at SpiderLabs, Trustwave, emphasizes the urgency of evolving security measures in response to modern threats. “Guarding against nation-state and criminal email attacks amid new global threats has never been more critical. With the rise of AI-powered attacks, organizations must stay vigilant, especially as the world prepares for high-profile events like upcoming elections,” says Hay. He points out that while traditional layered security is still necessary, defenses need to be more agile and capable of adapting in real time. According to Hay, understanding your organization's specific threat environment, regularly training employees, and integrating cutting-edge tools alongside legacy systems can make a critical difference in staying ahead of these threats.
Hay's top email security recommendations focus on implementing robust measures such as Multi-Factor Authentication (MFA) and Secure Email Gateways (SEG), as AI-assisted phishing campaigns become more prevalent. He references a Microsoft study that revealed 99% of compromised accounts lacked MFA, underlining its importance. In addition, Hay advocates for practices like double verification for financial transactions, annual security training to combat increasingly convincing phishing attempts, and clear policies regarding file types like executables or macro-enabled documents—all of which can mitigate the risks posed by AI-enhanced attacks.
The convergence of new technologies and cyber threats also brings into focus another issue: the widening cybersecurity skills gap. Karthik Swarnam, Chief Security and Trust Officer at ArmorCode, believes that the solution lies in early education and practical training. "Cybersecurity isn't just an issue for businesses; it’s a growing societal challenge. The earlier we engage students, the better, yet we’re simply not doing enough right now," he warns. Swarnam has firsthand experience in helping close this gap through initiatives like the Security Advisory Alliance in Chicago, which aims to introduce students from inner-city schools to cybersecurity through mentorship, labs, and hands-on learning opportunities. "Not only do these efforts build a foundation of cybersecurity knowledge, but they also help companies cultivate a diverse, skilled pipeline of talent," he adds.
Swarnam advocates for expanding beyond traditional educational pathways by emphasizing experiential learning, internships, and certifications. He explains that trade schools and technical colleges offer useful programs that provide students with practical, real-world skills—not just theoretical knowledge. "If the cybersecurity skills gap has taught us anything, it’s that traditional college degree pathways alone aren’t enough to meet industry demands. Certifications and hands-on experience can often be just as valuable—or more so—than a four-year degree," says Swarnam.
But while the focus on developing future talent is essential, companies today are grappling with another pressing problem: the fatigue of employees dealing with relentless phishing and social engineering attempts. Al Pascual, CEO of Scamnetic, challenges the effectiveness of traditional cybersecurity awareness training in its current form. "It’s Cybersecurity Awareness Month, but let's skip all the cliches and get down to brass tacks: your cybersecurity awareness training isn't working," Pascual states bluntly. "Employees still get phished or scammed, leading to fraudulent payments, or worse yet, a foothold for ransomware attacks."
Pascual argues that expecting employees to scrutinize every email or communication they receive is both inefficient and ineffective. "Just as we worry about security analysts getting alert fatigue, our employees are getting educational fatigue. They cannot be expected to interrogate every communication accurately all of the time. It is inefficient and ineffective. We automate everything else—why not this?" he adds, urging companies to explore automated tools that can ease the burden on employees while enhancing security defenses.
This Cybersecurity Awareness Month, it's clear that the focus must shift beyond simply making employees aware of cyber risks.
Comentarios