This year, the National Cybersecurity Alliance (NCSA) and the Cybersecurity & Infrastructure Security Agency (CISA) chose “Do your part. #BeCyberSmart” as the theme for Cybersecurity Awareness Month, with weekly themes that include:
- Week 1: Be Cyber Smart
- Week 2: Fight the Phish
- Week 3: Explore. Experience. Share.
- Week 4: Cybersecurity First
We’re going to give you two tips for each week (and two bonus tips!) to help you celebrate and spread the cybersecurity joy.
Two tips to help you “Be Cyber Smart”
There are all kinds of tips we can give you about ways to be cyber smart, but they all boil down to basically the same thing: if you can connect it, protect it.
This is actually a slogan from last year’s Cybersecurity Awareness Month, but it’s a phrase that does serious heavy lifting and covers a lot of cybersecurity bases.
Think for a minute about everything you can connect to the internet:
- Cell phone
- Smart appliances
- Smart HVAC, lighting, and home automation devices
- Health and medical monitoring devices
That doesn’t seem like a long list, but when you start breaking it out to watches, heart rate monitors, fitness trackers, laptops, tablets, gaming systems, desktops, TVs, fridges, ovens, sprinkling systems, thermostats, door locks, light switches, garage doors, security cameras, and alarm systems . . . it ends up being a lot of things. Which is why this type of technology is called the Internet of Things.
On top of just the devices themselves, think about everything you do on those devices. You order groceries, takeout, gifts, clothes, shoes, home maintenance supplies, holiday decor, and a million other knickknacks and doo-dads and fal-de-ral. You rent movies. You book travel reservations.
Even more importantly, sensitive information like your birthdate, Social Security Number, account numbers, and phone number regularly venture into cyberspace when you apply for jobs, file your taxes, fill out a loan or insurance application, or register for medical procedures.
Everyone knows they need to protect these devices, but most people either don’t know how to do it or don’t realize the risk involved in procrastinating on protection.
So here are our two tips for protecting your connections:
1. Use a password manager to force you to create complex, unique passwords for each account
Passwords are the DMV of the internet—they’re a painfully slow detour you have to slog through to get where you really want to be. Too many people treat their passwords like a hoop they have to jump through by using the same simple password (maybe with a few tiny differences if you’re fancy) for everything. In fact, 66% of Americans use the
same passwords for more than one account and only 34% change their passwords regularly.
Start thinking about your passwords like car or house keys. Your keys probably have a dedicated spot in your house, some unique personality keychain, and maybe even a Tile or AirTag so you can find them when you need them. And just like your keys, you don’t want to go with the same key for everything—complex password phrases are the securest option.
A password manager can be an app or a software program. They’re a great tool that forces/allows (you pick the one you need) you to create complex, unique passwords for every single account and save you from the “forgot password” black hole.
And this should go without saying, but don’t:
- Share your passwords
- Use common words or easy to guess phrases
- Use 123456 or password as your password (Don’t laugh—they’re both in the Top 5 Most Common Passwords of 2020)
2. Enable two-factor authentication (2FA) or multifactor authentication (MFA) whenever possible
Remember how we said passwords were like the DMV of the internet? If you aren’t used
to using them, using 2FA or MFA can feel like your internet connection is still AOL
2FA/MFA give your accounts an extra layer of protection by requiring both your password and a separate code or token that is sent to you via email or text before login is granted. (In the case of biometric authentication, you should have your fingerprint, voice, or retina with you).
Extra authentication is like a deadbolt or electronic lock that significantly decreases the likelihood of a break-in. But when you realize that multifactor authentication blocks 99.9% of attacks, the choice is easy.
Fight the Phish
Phishing is the most common type of breach attempt, and with a significant number of employees working from home due to the Covid-19 pandemic, phishing attacks have become more sophisticated and successful.
Phishing attacks occur when a bad actor sends you an email that looks like it’s from a legitimate email account or company, but if you look closely you’ll probably see that the domain name has one number, letter, or symbol different from the official account.
These fake emails may have infected attachments or may ask you to click on a link that will send you to a site that will download viruses, malware, or ransomware onto your device. If they include a phone number, the number will be similar to the organization’s real contact information, but the “customer service representative” you talk to will be trying to steal your identity, not process your return.
These emails often appear to be from banks, government agencies, schools, and healthcare providers and will say something like the example below from the FTC:
- “We suspect an unauthorized transaction on your account. To ensure that your account isn’t compromised, please click the link below and confirm your identity.”
- “During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
- “Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
- “Your test results are ready. Please call us immediately.”
Here are our Fight the Phish Tips:
1. Train your team. Then train them again. And again. And again. And again.
Employee error causes 88% of all data breaches. Even the very best antivirus software can’t stop an employee from clicking a bad link or downloading a bad attachment. One of the most efficient ways to protect your company against a phishing attack is to teach your employees what they look like.
CISO already has fliers explaining phishing attacks ready for download on their website. You can print them off and pass them out, use them to develop your own training, or even run a phishing test at work that will help you see which types of phishing attacks your business is most vulnerable to.
2. Create, implement, and enforce a cross-functional process for installing updates
In 2019, Ponemon Institute found that 60% of breach victims said their breach was the direct result of failing to patch a known vulnerability.
Patches and updates often get put off as a “That will only take a few minutes I’ll do it later” or “I’ll do it first thing in the morning” task, but this approach is as dangerous as leaving your keys in the ignition of your running car.
The best way to protect against this type of unnecessary risk is to have a cross-functional team from across the company create, implement, and enforce a process that regularly checks for updates and patches, schedules their speedy installation, and confirms they were installed correctly.
This process should delineate each department’s responsibilities and include failsafes to make sure nothing falls through the cracks.
Explore. Experience. Share.
Technically, the NCSA and CISO are using week three of cybersecurity awareness month to highlight cybersecurity careers, but since you likely aren’t looking to switch careers, we’re going to take a slightly different approach.
Instead of checking out potential cybersecurity career paths, we want to invite you to see what cybersecurity and privacy professionals can do for you.
Ready for your tips?
1. Review your privacy practices
New laws giving consumers expanded protections for how and where their sensitive personal information is being collected online are passing every year, and soon every business will have to comply with strict data use, storage, and protection regulations.
Cybersecurity and privacy aren’t the same thing, but they need to work together to get the job done. Odds are high that working with a privacy expert will identify vulnerabilities in your system that they’re uniquely qualified to fix.
2. Hire a cybersecurity consultant
Even if you have a cybersecurity team in your IT department, an outside pair of eyes may go through your system and processes may be able to crack entrenched problems including getting your teams set up on VPNs, creating policies regarding use of work and personal devices on public and private networks, solving document storage and destruction issues, sourcing new vendors, etc.
You’ve likely made investments to secure your physical assets, so do the same for your digital and reputational assets, which are potentially more valuable.
Unlike the theft of inventory which usually results in a one-time hit to your bottom line, a single cybercrime incident can cost you for years. Experts estimate that cybercrime will cost the world $10.5 trillion annually by 2025.
On the other hand, incorporating your cybersecurity expectations and goals into your company culture through frequent training and process updates will likely pay off for years as well.
Here are our tips for putting cybersecurity first:
1. Get everyone on the same page
Your cybersecurity program can be led by your Chief Information Security Officer or your IT team, but you should also have a task force with representation from every department that meets regularly to discuss cybersecurity and privacy initiatives and concerns.
Processes and training developed this way are far more likely to succeed because they will be designed to work for everyone. Having a cross-functional cybersecurity team also increases the number of leaders you have working on the solution. Instead of having someone they don’t know or trust from another department telling employees how to do
something, a trained director from their own department will be able to achieve higher levels of compliance.
2. Conduct an audit
Trying to build a cybersecurity program without doing an audit is like trying to build Ikea
furniture without the directions—you might end up with something that looks mostly right
but can’t support any weight.
A cybersecurity audit will help you pinpoint your strengths, identify your vulnerabilities,
expose outdated software and hardware, and reveal opportunities for continuous
improvement processes. Whether you do it yourself or hire a contractor, an audit will
give you customized instructions on how to protect and build your business.
Two bonus tips
As promised, here are our last two Cybersecurity Awareness Month tips:
1. Regularly backup your important operating systems, records, and data
Off-site, secured copies of all your information guarantee you’ll be able to keep the doors
open in the event of a ransomware attack. These separate files can also be used
to identify potential breaches by comparing the backup copies to existing data.
2. Hit your mobile device action plan hard and often
According to the FCC, mobile devices present businesses with a host of security and
management challenges, especially if those devices have confidential information or
access to company networks.
The FCC highly recommends that employees with company-provided mobile devices
take the following steps:
- Password protect their devices
- Use a program to encrypt any sensitive data
- Install security apps to protect data on public networks
- Immediately report lost or stolen devices
On your mark, get set, go!
Now you’re ready to strengthen your business using Cybersecurity Awareness Month to guide the way. Congratulations!
If you need help figuring out what steps are next for you and your company, contact us today.