The month of October presents a lot of change around us, with the season’s bursting of tree colors and traditional autumn activities. Since 2004, October has been declared Cybersecurity Awareness Month, bringing special attention and focus to an important topic that affects businesses and individuals alike.
Each October, attention is dedicated to a cybersecurity topic. This year, the Cybersecurity and Infrastructure Security Agency (CISA) is focusing on the people component with the theme “See Yourself in Cyber.” Too often, cybersecurity topics are shrouded in complexity and not digestible enough for the tech savvy, and even more so for the non-technical individual. The focused attention in October by CISA aims to break down the most common threats seen in the marketplace, then bring awareness and share suggestions to improve not only the security posture within our businesses but also our personal lives.
While the topic of cybersecurity is far reaching, this month focuses on four key things everyone can do to improve cyber awareness and be part of the solution. Organizations invest heavily in cybersecurity risk management, tools, controls, policies, and procedures to help prevent threat actor compromises of systems and data. The focus this month is around the following centers of influence:
- Think before you click
- Recognize and report phishing
- Update your software
- Use strong passwords and enable multi-factor authentication
Phishing continues to be an effective attack vector for many threat actors. In fact, the 2021 Verizon Data Breach Report showed that 85% of data breaches utilized the human factor. Phishing is the engineered effort to compel a recipient to click links or open suspicious attachments in email. Many of these emails carry with them the risk(s) of unintentionally providing credentials or installing software aimed at reconnaissance and ultimately compromise of business and personal systems. Let’s face it: humans are the weakest link and socially engineered on a regular basis. Organizations have employed the use of ongoing security awareness training to help employees detect and respond to malformed emails properly, the residual benefit being organizational and personal protection. CISA suggests the following: “If a link or attachment looks a little off, think before you click it – it may be an attempt to get sensitive information or install malware.”
Hardware and software developers are equally plagued by the cat-and-mouse game of cybersecurity, bug fixes, feature and functionality updates, and new stability releases. Developers of hardware and productivity software such as Microsoft, VMWare, Apple, Google, Adobe, and others go to great lengths to keep pace with newly detected vulnerabilities. Some manufacturers offer bug bounty programs with large monetary rewards to individuals who can find weaknesses in developed applications. Keeping software up to date is a key component of a sound cybersecurity strategy while balancing the productivity of its user base. Many of these software manufacturers offer mechanisms to update software automatically, helping customers take advantage of the latest features while quickly patching known security vulnerabilities before they can be used by a threat actor group. As CISA points out, “don’t delay – if you see a software update notification, act promptly. Better yet, turn on automatic updates.”
In our technology landscape, if you have something of value, it is likely to be behind a password. Passwords and password management might be one of those topics that has you pulling your hair out, especially considering the number of accounts and services to manage. All this management can cause us to choose the easy road when it comes to password development, which can unfortunately mean higher rates of password re-use leading to compromise and identity theft.
It is still common to see weaker 8-character passwords with minimal complexity requirements. In fact, the top passwords discovered in the dark web in 2021 included “password,” “12345678,” “qwerty,” and “111111.” This tells us that our thought process on creating passwords, and what account providers still allow, needs to change. And you guessed it, threat actors already know these common passwords are in use when trying to compromise accounts.
While there is much afoot in trying to eliminate passwords and move to a password-less model of authentication, the password is still very much alive and clearly not well. CISA recommends passwords that are “long, unique, and randomly generated.” They suggest we use password managers to generate and remember different, complex passwords for each of our accounts. How long should a password be, you might ask? If you do not have a form of multi-factor authentication in place, the industry recommendation is in the 14- to 16-character minimum territory. A shift of our thinking to longer passphrases will help many individuals create and remember stronger passwords. For every challenge you may face in managing access, there are secure password management solutions to help generate, manage, and secure sensitive account information both personally and professionally.
While long and complex passwords or passphrases will improve the security of your account, there is an additional protective measure that is strongly recommended. Many of the accounts created online or in applications likely offer a protection called multi-factor authentication, or MFA. MFA gives an additional verification check that the person logging in to the account is the rightful owner. As we discussed previously, weak passwords that are easily compromised allow easy access for threat actors. MFA adds an additional verification speed bump to help reduce account takeover and fraud by introducing an additional check. This additional check combines something you know (a password) with something you have in your possession such as a cell phone or key fob; this also could involve a fingerprint or facial recognition. Many sites and services support MFA and it’s usually offered at no charge and only requires a one-time setup to activate. As CISA shares, “You need more than a password to protect your online accounts; enabling MFA makes you significantly less likely to get hacked.”
These four points combine to improve the cybersecurity posture of businesses and individuals alike. While there are plenty of complexities around the cybersecurity topic, at the end of the day it really is about people, our behavior, and how we interact with the technology around us. Each of us really can make a difference provided we are willing as CISA says to, “see ourselves in Cyber” and act on these best practice recommendations. The journey always begins with the first step. Rehmann is here to empower you and your business to be cyber safe. Contact us today to learn more.