October 2023 marks the 20th Cybersecurity Awareness Month – an annual campaign designed to raise awareness of cybersecurity, both at home and at work.
This year, CISA (the Cybersecurity and Infrastructure Security Agency) has announced a new awareness program called Secure Our World.
The Secure Our World program promotes four basic actions that everyone should take to help themselves stay safe online:
- Use strong passwords
- Turn on MFA (multifactor authentication)
- Recognize and report phishing
- Update software
The campaign’s simple messages are based on cybersecurity best practice – you’ll find all security frameworks advocating following them as part of a cybersecurity program.
Let’s look at them individually.
Use strong passwords
It’s important to use a unique, strong password for each online account you have, especially as your username will tend not to vary from account to account – many will use your email addresses by default.
This means that even if one account is compromised in a data breach or cyber attack, your others will be safe from brute-force attacks.
A strong password is long and complex, using a random mix of uppercase and lowercase letters, numbers, and special characters.
However, remembering long strings of characters is all but impossible. An alternative to this approach is to use a passphrase comprising three or four random words, or to use a password manager to create and store random passwords for you – all you need to do then is remember the password for your password manager.
Turn on MFA
Multifactor authentication, sometimes known as two-factor authentication, helps ensure that even if someone does learn your password, your account remains secure.
It’s an additional layer of security that requires users to verify their identity through other means, such as security tokens (often generated by authenticator apps or sent via SMS) or biometrics (such as fingerprints).
Its relative simplicity belies its effectiveness, and it’s offered in more and more accounts and apps. It will often be enabled by default on things like banking apps and email accounts.
However, if it is not available by default but is available, turn it on.
Recognize and report phishing
Phishing attacks are how most malware is spread and how most successful cyber attacks start. They are communications – usually emails, but increasingly social media messages and posts – that look like they’re from a trusted person or organization.
The messages usually create a false sense of urgency to encourage recipients to click a link or open an attachment. However, doing so will either result in malware being installed on your device or take you to a fake website that will harvest any credentials you enter.
Most cyberattacks are automated, so they require practically no skill to execute, are cheap and easy to run, and are indiscriminate, looking only to exploit common vulnerabilities rather than specific websites or companies.
These attacks invariably focus on network and software vulnerabilities, which software vendors patch with updates. If you don’t update to the latest versions or apply vendors’ patches as they are released, the vulnerabilities in your systems will remain exploitable.
A Ponemon Institute survey found that almost 60% of breaches suffered by organizations were because of unpatched vulnerabilities.
The legal obligation to stay cybersecure
Not only will these basic habits help secure your accounts, they will also help your organization meet its legal obligations. For instance, if you process personal data, you are obliged under numerous laws and frameworks to ensure you have implemented appropriate measures to protect that data.
If you are bound by Europe’s GDPR (General Data Protection Regulation), it’s critical that everyone in your organization understands their security obligations. There’s obviously a lot more you can do than follow these four simple steps.
You can learn more about GDPR compliance, information security and data protection best practice in our October 24 webinar, Bridging the gap between Europrivacy and GDPR.