Started in 2004, Cybersecurity Awareness Month is a campaign designed to raise awareness and promote healthy cybersecurity practices among individuals and organizations. This year's theme is "Secure Our World."
When it comes to securing your world, the Cybersecurity and Infrastructure Security Agency, CISA, has published essential areas of hygiene that, when followed, will go a great distance to help you secure yourself and your business. By taking these actions, individuals and organizations can preemptively reduce their risk and chances of costly and embarrassing security incidents such as falling victim to ransomware, having data exposed, or being fined for non-compliance as a business.
Here are the four key actions CISA advises:
1. Enable or Require Multifactor Authentication (MFA)
MFA is perhaps one of the most decisive steps one can take to improve their security posture. MFA requires users to provide two or more forms of authentication when trying to access data, online services, or an application or system. Forms of authentication include passwords, a biometric such as a fingerprint scan, or a security token. Security tokens can be a hardware device, such as a USB token inserted into a computer, phone, or tablet. Security tokens can also be app-based, such as mobile apps that ask a user to confirm or deny an access request occurring on another device or to enter a one-time code it displays.
MFA makes it much more difficult for attackers to gain access to accounts. Experts advise users to start by enabling MFA on their email accounts because email is often used as part of the account recovery process. After email is secured, move on to the subsequent most sensitive accounts such as banking accounts, social media, etc.
2. Keep software and devices up to date
One way attackers like to gain access is through software vulnerabilities. Flaws in software enable attackers to develop exploits that can be used to hack the software and potentially gain access to data or even the underlying system.
The best way to defend oneself and your organization from attacks on vulnerable software is to update software regularly. The most recent security patches will be installed using the operating system's software update capabilities.
CISA has made a vulnerability scanning service available to federal, state, local, tribal, and territorial governments and public and private sector critical infrastructure organizations. More information on this program is available by emailing [email protected] with the subject line: Requesting Cyber Hygiene Services.
3. Use Strong Passwords
It's no secret that attackers target weak credentials in their infiltration attempts. That's why it's no accident that two of the four key actions the CISA suggests everyone make sure they're focusing on authentication.
According to the CISA, individuals and organizations are improving their security hygiene by using strong passwords, even when using MFA. A strong password is a password that is very difficult for an attacker to break or guess. Strong passwords should include upper- and lowercase letters and numbers and contain special characters like !@#$%^&*()|.
A way to create strong, memorable passwords is to use passphrases, a combination of words that are easy to recall but not easy to guess. An example would be Monkey&ocean$movie. Another way to create and store strong passwords is to use a password manager. These applications promise to store passwords securely and recommend secure passwords.
Always use unique passwords for each application and online service.
To create a strong password, use a passphrase instead of a single word. A passphrase is a combination of words that are easy to remember but difficult to guess. For example, "correct horse battery staple" is a strong passphrase that is easy to remember but difficult to guess. Using a different password for each account is also essential to prevent attackers from accessing multiple accounts if one password is compromised.
4. Beware of phishing emails and messages
Most successful attacks start with someone succumbing to a phishing email, social media update, or a direct message, and they click on a link or download a malicious attachment. By training oneself and staff constantly to be alert and not click on suspicious links or download suspicious attachments, many attack attempts can be faltered. Whenever in any doubt, don't click on links shared, but go to the website directly and access the relevant resources. When considering downloading attachments, call or email the sender directly to make sure it was they who sent the attachment. A little awareness, caution, and prevention here will go a long way.
While it's Cybersecurity Awareness Month, and there's an increased focus on cybersecurity, successful cybersecurity is an everyday focus. These key actions that will improve cybersecurity hygiene are a continual process. But by following this guidance, individuals and organizations will reduce their risk. So enable multifactor authentication, update software regularly, use strong passwords, and don't click on items within suspicious emails or social media posts.