As threats to technology and private information become more frequent, the President of the United States and Congress have proclaimed October to be Cybersecurity Awareness Month. This initiative aims to assist people in protecting themselves online. Government and business are working together to increase cybersecurity awareness on a national and worldwide level under the direction of the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA).
See Yourself in Cyber
The slogan for this year's campaign, "See Yourself in Cyber," shows that although cybersecurity may appear to be a complicated topic, it ultimately comes down to people.
Everyone should see themselves in cyberspace, regardless of the function they play. Consumers or individuals can take simple precautions to safeguard their digital privacy and information. By putting strong cybersecurity measures in place at work to help prevent an incident at their location or further down the supply chain, vendors and suppliers can take responsibility for their roles while safeguarding their brand and reputation. Owners and operators of critical infrastructure that are a part of a wider network of services and systems that rely on or support critical infrastructure can learn how their company contributes to the ecosystem's overall cybersecurity.
Even if the majority of cybersecurity news stories focus on significant data breaches and cybercriminals, it can still feel overwhelming and like you have no control over it. But Cybersecurity Awareness Month serves as a reminder to everyone that there are numerous ways to safeguard your data. Even learning the fundamentals of cybersecurity can have a significant impact.
Enable multi-factor authentication
Everyone agrees that enabling multi-factor authentication (MFA) is the best precaution to mitigate password attacks. A CISA advisory highlights that “MFA is one of the most important cybersecurity practices to reduce the risk of intrusions—according to industry research, users who enable MFA are up to 99% less likely to have an account compromised.”
It is therefore important to enable MFA wherever this is possible. A mistake that some businesses make is that they protect only their privileged accounts, such as IT admins, and their remote users with multi-factor authentication. However, every employee and every individual are a potential target for criminals. Hence, MFA should be enabled for every employee to reduce the potential of attackers compromising an account.
The recent attacks on Cisco and Uber demonstrated that not all MFA methods are equally safe. In fact, SMS-based authentication is deprecated by NIST since 2017, while attackers are using tactics like MFA fatigue to circumvent authentication methods like OTP push-notifications. The Office of Management and Budget memorandum on enabling a Zero Trust cybersecurity asks businesses to elect a phishing-resistant MFA method, such as FIDO2 security keys. Nevertheless, organizations should not rip and replace existing authentication schemes. OTP push-authentications are more secure than having no MFA at all and can still be used to safeguard less critical data and systems.
Use a password manager for strong, unique passwords
The keys to your digital castle are your passwords. You want to take every precaution to keep your passwords secure, just like you would with your house keys. All passwords should be generated with the following three guiding principles in mind, regardless of the accounts they protect:
- Long – At least 12 characters should be included in each of your passwords.
- Unique - Each account must be secured by a separate, individual password. Use unique passwords only. In this manner, even if one of your accounts is compromised, the rest of them are safe.
- Complex - Each password should be complex and contain a mix of capital and lowercase letters, digits, and special characters.
If your password is lengthy, distinct, and complex, the advice is to never change it unless you notice that someone else is using that account without your permission or the password was stolen during a data breach. The most recent recommendations from NIST support this recommendation. Cybersecurity experts have been advising us to change our passwords on a regular basis for many years. However, if your passwords are all lengthy, distinctive, and complex, this frequent changing is ineffective. In fact, if you frequently change your passwords, you run the danger of repeating old ones or developing unhealthy habits like using identical or weak passwords.
As our lives have grown and we have done more online, we now may handle upwards of 100 or more passwords. Creating, storing, and remembering all those passwords can be a hassle. However, passwords are your first line of defense against hackers and data breaches. Free, user-friendly password managers can make managing your passwords simpler than ever.
A password manager provides the easiest approach to establish and maintain strong passwords for the growing number of online accounts we connect into. By using a password manager, you may avoid storing a cluttered sticky note with all your most crucial passwords glued to your computer or a complicated notepad of passwords in a drawer. Now, all you need to remember to access your password manager vault is one strong password.
You may use password managers to store hundreds of different passwords for your online accounts, but these programs also have the following benefits:
- Save time
- Work across all your operating systems and devices
- Safeguard your identity
- Warn you about possible phishing websites
- Notify you when a password may have been compromised
Always update your software
Keeping your software and apps updated is one of the simplest ways to keep your information secure. Software updates are a simple method to stay one step ahead of the bad guys because you can be sure they are always seeking for new ways to access your data through vulnerable software.
Here are a few justifications for thinking about software updates right away.
- Close security holes. Cybercriminals can gain access to a person's computer because of software flaws. Threat actors view these flaws as unlocked doors that provide them access to infect systems with malware. Software security updates close these open gateways to prevent attacks on a system.
- Add fresh features. By installing updates, you might be able to add new features and get rid of any outdated ones. Updates provide the most recent features and advancements because technology is always evolving.
- Safeguard your data. A threat actor that gains access via a software security hole will look for confidential documents, passwords, and other personal data such as financial information. Data is better protected when software is updated to address security flaws.
- Increased efficiency. Not every patch relates to security. Software developers could discover defects in software or realize that a program needs to be improved. The software's performance is boosted by these modifications.
- Verify compatibility. To make sure their program is compatible with the newest technologies, software developers issue updates. Older software may not be compatible with newer technologies without upgrades.
In addition, here are two tips for when downloading and installing updates.
- Download software updates solely from the source that produced them. Never utilize software that has been cracked, pirated, or used without a license (even if your friend gave it to you). These frequently have viruses and create more issues than they fix.
- Automate the process. The option to automatically update your program is typically offered by software from reputable vendors. It provides a notification when an update is available so you can start the process right away.
Recognize and report phishing
Phishing is a popular tactic for cybercriminals, but you don't have to fall for it. In the majority of cyberattacks, criminals employ social engineering, and they do it because it is effective. Anyone can be caught by the right phish at the wrong time. Many other businesses, including Twitter, Sony, and Google, have been used for social engineering to compromise people and families.
Cybercriminals are increasingly convincing and persuasive in many of their phishing attempts as we have grown more knowledgeable to obvious hoaxes. According to Jessica Barker, one of the reasons social engineering is so effective is that it will manipulate our emotions to skew our judgment. Everything depends on how we take in information.
According to behavioral economics, there are two ways that each of us processes information: quickly and slowly. When we think slowly, we are composed, thoughtful, and reasonable. Cybercriminals want us to think differently than this. They want to force us to think quickly while we are still susceptible, emotional, and simple to control. Therefore, cybercriminals manipulate our emotions to persuade us to click questionable links, download dangerous attachments, and disclose our credentials.
Spend a few seconds making sure the email or the message seems legitimate before clicking any links or downloading any attachments. Here are some short guidelines for recognizing a phishing email:
- Is there a bargain in it that seems too good to be true?
- Does it use threatening, scary, or urgent language?
- Does it ask for personal information to be sent?
- Is there a sense of urgency to open an unfamiliar link or attachment?
- Is this an odd or hurried business request?
- Does the email address of the sender match the business it is from? Pay attention to minor misspellings like Anazon.com or Pavpal.com.
Recognizing a bogus email or message that is a part of a criminal's phishing campaign is the challenging part. All that is left to do is report it. Report the email as soon as you can to your IT manager or security officer if you are at the workplace and it was sent to your work email address.
If the email was sent to your personal email address, do not follow the instructions. Do not reply to the email or click any links, even the one to unsubscribe. Simply press the delete button. You can strengthen your security by blocking the sending address from your email program.
Everyone has a right to a safe internet, so let’s remember to #BeCyberSmart.