Staying safe online in 2023
As Cybersecurity Awareness Month celebrates its 20th anniversary this year, it's the perfect time to reflect on the strides we've made in security education and awareness. It’s also a chance to look ahead, combining education with the right technology to protect people at scale.
Two decades is a very long time on the internet -- there was no Facebook or YouTube in 2003. Now there are more than 500 times as many secure websites. Phishing was just beginning to catch on. Now phishing is widely reported to be a multi-billion-dollar problem, with millions of attacks detected and taken down each year. As the internet has evolved, so have cybercriminals.
Modern security awareness is not about deciding whether an individual email is malicious or not—while of course a healthy dose of skepticism is useful -- it is about having the right tools, platforms, and policies in place to protect you, your family, and your colleagues.
A 2023 trend demonstrates the evolving challenges of cybersecurity -- criminals are now exploiting AI to write phishing emails. Spotting spelling mistakes in scams may need to be flipped on its head: perfect grammar might be more likely to be a bot rather than your boss.
What you can do to help protect yourself is to get the right tools deployed in the right places:
Phishing: Attacks impersonating well-known organizations have grown in sophistication. Large campaigns with thousands of emails asking for bank details and personalized spear phishing crafted using ChatGPT with information scraped from social media are on the rise.
Security education must adapt, teaching users to be skeptical even when an email, SMS or DM seems to come from a known contact. At the same time, criminals use an ever-growing variety of techniques to hide phishing sites from careful users and security vendors.
User awareness must be combined with powerful technology to defend against phishing at scale. Using an up-to-date modern browser provides a reasonable starting point -- with Chrome, Firefox and Safari harnessing the protection of Google Safe Browsing and Microsoft Edge using SmartScreen. Additional protection -- covering a wider set of malicious websites, fake shops, evil JavaScript, and scams -- can be achieved using mobile apps and extensions. Enterprises can protect their customers from impersonation-based attacks using their brands through online brand protection providers, who are adept at combating cybercriminals.
Reporting suspected attacks helps defend yourself and others. Reporting attacks to your company’s security team can give a definitive expert verdict, and reporting to governments and global cyber security vendors means others around the world can be protected too.
Passwords: While the importance of strong passwords has long been recognized, the conversation has shifted. Today, it's about understanding password managers, avoiding password reuse, and recognizing the limitations of passwords alone. PassKeys are an exciting development, but also surface concerns around centralizing authentication with a handful of global enterprises.
Multi-Factor Authentication: Using more than one factor (something you know, something you have, or something you are) has become a key feature of online safety. Handled carefully, it can make password spraying attacks extremely challenging for criminals.
SMS is widely seen as a second-rate choice for multi-factor authentication. For many, however, it is the most accessible option and a significant improvement on using only a password. The Federal Communications Commission announced earlier this year a raft of new rules intended to make SIM swapping attacks in the US more difficult. While MFA is no longer an optional feature for the paranoid, many SaaS products still charge extra for enterprise identity integrations.
Software Updates: 20 years ago, installing antivirus software would have been at the top of your checklist, today it’s keeping on top of software updates. These often contain patches that protect against critical vulnerabilities. Delaying or ignoring these updates can leave systems unnecessarily exposed.
A few things are clear as we look ahead:
1. Continuous learning: Cyber threats won’t stop evolving, and neither can our efforts. What's relevant today might be obsolete tomorrow. Continuous learning and adaptation are crucial.
2. Holistic approach: It's not just about individual actions. A holistic approach combines individual vigilance, organizational policies, new government regulations and powerful technology enhanced with AI.
3. Empowerment: FUD -- fear, uncertainty, and doubt -- and FOMO -- fear of missing out -- are commonly used to exploit victims at their most vulnerable. However, the future lies in empowerment. With healthy skepticism and the right technology, people can still navigate the digital world safely.
4. Collaboration: No single entity can tackle the challenges of cybersecurity alone. Collaboration between the cybersecurity industry, enterprises, governments, and individuals will be key to remaining protected.
As we recognize Cyber Security Awareness Month’s 20th year, we can acknowledge the tremendous progress made. However, the journey is far from over. By focusing on key behaviors like MFA, passwords, software updates, and defense against phishing, we can collectively strive for our vision of a world protected against cybercrime.
Image Credit: Agenturfotografin / Shutterstock
Ryan Woodley is CEO at Netcraft.