Navigating cyber complexities: Top tips from an ethical hacker for Cybersecurity Awareness Month
October is Cybersecurity Awareness Month, and this year’s overarching theme is "It’s Easy to Stay Safe Online."
While cybersecurity news often centers around massive data breaches and hacks, it can be overwhelming to citizens and consumers who feel powerless against such threats. However, this year’s theme serves as a reminder that we all have a part to play in making the online world a safer place, whether that be at work, home or school.
Ultimately, it comes down to making life more difficult for cybercriminals to execute their malicious acts and making humans the first line of defense. Simply implementing a few small actions and best practices can go a long way in protecting yourself and those around you.
This year, Cybersecurity Awareness Month focuses on four key behaviors:
- Enabling multi-factor authentication
- Using strong passwords and a password manager
- Updating software
- Recognizing and reporting phishing
Enabling multi-factor authentication
Multi-Factor Authentication (MFA) is a critical component of successful cyber protection and should be enabled everywhere possible -- on cloud and SaaS applications, emails, online banking and social media accounts. Both consumers and organizations must understand that passwords shouldn’t be the only means in place for protecting their accounts against malicious actors, especially for those that store highly sensitive data e.g. address, social security numbers and credit card details.
Passwords should instead be moved into the background, with MFA enabled and serving as an extra layer of protection, should an attacker crack through a weak password. Individuals and organizations must determine where and how they can enable multi-factor authentication as soon as possible.
Using strong passwords and a password manager
As humans, we struggle to create and maintain complex passwords. Oftentimes we reuse the same password for multiple accounts, fail to frequently update and rotate them and create credentials that are short and easy to remember. All of these factors create risks.
Fortunately, password managers can go a long way towards handling the complexity of this task, rotating passwords and ensuring those created meet the highest of standards. A password manager will automatically create and store complex and unique passwords for each of your user accounts.
Update your software
Criminals are motivated to find an entry point into user accounts and enterprise systems -- often through software exploitation. As outdated programs are more susceptible to attacks, this year, Cybersecurity Awareness Month is highlighting the importance of regularly updating operating systems and personal and professional devices such as laptops, tablets and mobile phones.
If there are updates available for your systems, it is imperative that they are installed immediately as updates will often address security issues or flaws. Once new updates are installed, users should reboot their systems to ensure updates have been applied. This process should also be repeated for applications (apps) and web browsers utilized most frequently. Ensure you are running on the latest versions to avoid exploitation.
Recognizing and reporting phishing
We live in a world of connectivity and mobile devices where we receive communication from a host of different channels -- social media, text, email, Slack and so forth. All of these avenues of communication have the potential to contain something malicious and, as a result, we must become increasingly skeptical.
Before clicking on anything embedded within an email or message, ask yourself questions: Was I expecting to receive this? Does it look normal? And did this come from a legitimate email/source? Also check for notable spelling/grammar mistakes.
One of the most effective ways to mitigate a phishing attempt is to analyze the URL and check for discrepancies like suspicious add-ons. Most times, it is safer to go directly to a website to log-in and enter credentials rather than clicking a link to the website which has been sent to you.
The reporting of phishing attempts is still an underutilized practice. Users should report all types of malicious phishing activity to the appropriate source whether that be to a workplace, an organization where you are a consumer (bank, retail, etc) or within an educational institution. By reporting suspicious activity, organizations can address these issues in a timely manner to ensure other users do not fall victim to these attacks.
Joseph Carson is Chief Security Scientist and Advisory CISO at Delinea.