Blog  •  October 06, 2023

Start the Conversation

Honeypot Field to Catch Bots
Honeypot Field to Catch Bots

A-Z Resources for Cyber Strong Companies During #CybersecurityAwarenessMonth and Beyond

Since we are in the business of helping organizations securely manage, share, and transmit sensitive information, there’s no better time than Cybersecurity Awareness Month to share information, resources, and mitigation strategies to help you better understand the latest cyberthreats, best protect your sensitive information, and help you strengthen your cybersecurity posture.

With a multitude of cybersecurity resources available, we curated some of the best, from A to Z:

Artificial intelligence (AI). Gartner defines AI as applying advanced analysis and logic-based techniques, including machine learning (ML), to interpret events, support and automate decisions, and take actions. AI now generally involves probabilistic analysis (combining probability and logic to assign a value to uncertainty).
Resource: FS-ISAC: Framework of an Acceptable Use Policy for External Generative AI

Business email compromise (BEC). BEC is a sophisticated fraud scheme targeting businesses that often attempts to utilize fraudulent wire transfers as a form of payment from a victim business to a bad actor, according to the United States Secret Service.
Resource: United States Secret Service: A Guide to Business Email Compromises

Cyberattack vector. This is the method used to conduct an attack. Learn how implementing a prioritized set of actions, called critical security controls, can help protect your organization and data from cyberattack vectors.
Resource: Center for Internet Security: CIS Critical Security Controls

Dark data. Information assets that organizations collect, process, and store during regular business activities, but generally don’t use for other purposes (log files, customer call center records, raw survey data). Dark data is often neglected by businesses but still holds notable value to bad actors.
Resource: DFIN DealMaker Meter: Understanding Risk: The Dark Side of Data

Employee training. Security is the responsibility of all employees. According to the 2023 Verizon Data Breach Investigations Report, 74 percent of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering. It is critical to train employees, beginning at orientation and onboarding and throughout their careers, to identify and respond to threats and anomalous activity.
Resource: Cybersecurity and Infrastructure Security Agency (CISA): Cybersecurity Workforce Training Guide

Framework. The National Institute of Science and Technology, or NIST, provides the NIST Cybersecurity Framework, a set of standards, guidelines, and best practices for mitigating organizational cybersecurity risks. The five key functions of this framework are: identify, protect, detect, respond, and recover.
Resource: NIST Cybersecurity Framework

Governance. Cybersecurity governance is a comprehensive cybersecurity strategy that integrates with organizational operations and prevents the interruption of activities due to cyberthreats or attacks, according to CISA.
Resource: PwC: Governing cybersecurity risk: it’s time to take it seriously

Hacked account. Any account can get hacked, or compromised, including your email, bank account, or even your social media accounts. Responding quickly is important.
Resource: National Cybersecurity Alliance (NCA): Hacked Accounts: What to Do Right Now

Identity and Access Management (IAM). IAM, sometimes referred to as Identity, Credential, and Access Management (ICAM) is a framework of policies built into an organization’s information technology infrastructure that allows system owners to be assured that the right person is accessing the right information at the right time for the right reason, according to the U.S. Department of Homeland Security (DHS).
Resource: DHS: Identity, Credential, and Access management Acquisition and Implementation Guidance

Just-In-Time Access (JIT). JIT is a component of a Privileged Access Management (PAM) solution that provides a user with temporary account access and privilege upon request, thereby reducing risk and maintaining a least privilege model at all times.
Resource: BeyondTrust: Just-In-Time Privileged Access Management (JIT PAM): The Missing Piece to Achieving “True” Least Privilege & Maximum Risk Reduction

Knowledge management. The NICE Workforce Framework for Cybersecurity provides a set of building blocks for describing the tasks, knowledge, and skills that are needed to perform cybersecurity work performed by individuals and teams, according to NIST.
Resource: NIST: NICE Framework Resource Center

Law enforcement. Do you know when and how to report a cybercrime?
Resource: FBI: Cyber Crime

Multi-factor authentication. Sometimes called two-factor authentication or two-step verification, multi-factor authentication is a cybersecurity measure for an account that requires anyone logging in to prove their identity in multiple ways — this typically entails a code sent to your email or text, biometric identifiers, or a standalone app that requires approval, according to NIST.
Resource: NIST: Multi-Factor Authentication

Network infrastructure device protection. According to CISA, network infrastructure devices are the components of a network that transport communications needed for data, applications, services, and multimedia. These devices include routers, firewalls, switches, servers, load-balancers, intrusion detection systems, domain name systems, and storage area networks. Ensuring these devices are properly patched and secured is of utmost importance.
Resource: CISA: Securing Network Infrastructure Devices

Open-source software. Open-source software allows anyone to access, modify, and distribute source code, which can lead to greater collaboration and help spur and fast track innovation, according to CISA. However, open-source software can also be a target for attacks.
Resource: CISA: Open Source Software Security Roadmap

Phishing. Phishing is a scam typically leveraging email, SMS, or voice calls to entice users to share private information using deceitful or misleading tactics, or lure users to click a malicious URL, according to CISA.
Resource: Federal Trade Commission: Phishing

Quantum cryptography. Quantum computing technology will be able to compromise many of the current cryptographic algorithms, especially public-key cryptography, which are widely used to protect digital information. Most algorithms on which we depend are used worldwide in components of many different communications, processing, and storage systems, according to NIST.
Resource: NIST and National Cybersecurity Center of Excellence: Migration to Quantum Cryptography

Ransomware. Ransomware is a type of malicious software — or malware — that encrypts a victim's files or locks them out of their computer systems, rendering the data inaccessible and unusable. Cybercriminals demand a ransom payment in exchange for restoring access to the encrypted files, or to prevent publication of exfiltrated files to competitors or the public.
Resource: CISA: Ransomware Response Checklist

SEC. In July 2023, the U.S. Securities and Exchange Commission adopted rules, effective September 5, 2023, requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance.
Resource: SEC: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure

Trust model. FS-ISAC utilizes a trust model called Traffic Light Protocol. FS-ISAC is a member-driven, not-for-profit organization whose mission is to advance cybersecurity and resilience in the global financial system, protecting financial institutions and the people it serves. Through intelligence sharing, its goal is to reduce cyber risk.
Resource: FS-ISAC: FS-ISAC Traffic Light Protocol (TLP) Designations

Unauthorized access. Unauthorized access is any access or use of a computer system, network, or resource which is in violation of the company security policy — or when the user was not granted authorization.
Resource: U.S. Department of Defense (DOD): Recommended Best Practices for Administrators: Identity and Access Management

Virus. A computer virus is a piece of code that can replicate and spread across your computer and system, typically with a detrimental effect such as corrupting files, the system, or destroying data.
Resource: National Cybersecurity Alliance: How to Tell If Your Computer Has a Virus and What to Do About It

Web application abuse. This is when a web application, or web application programming interface (API), is exploited to perform activities that were not intended by the developer.
Resource: DOD: Preventing Web Application Access Control Abuse

XaaS. Anything-as-a-service (or everything-as-a-service). This encompasses the many products, tools, and technologies that vendors deliver to users as a service over a network — typically the internet — as an alternative to providing them locally to an enterprise, according to TechTarget.
Resource: Deloitte: Maximizing benefits of XaaS amid potential risks

Zero Trust Architecture (ZTA). ZTA represents a complex and comprehensive approach to securing modern organizations, based on least-privilege access and the principle that no user or application should be inherently trusted.
Resource: NIST: Zero Trust Architecture

For the latest cybersecurity updates and best practices, check DFIN’s Knowledge Hub regularly.

dannie combs

Dannie Combs

Chief Information Security Officer, DFIN