With world events reaching a fever pitch, it’s easy to see how you might have lost track of Cybersecurity Awareness Month.
No worries – we’ve got your back.
This year marks the 20th annual campaign by government and private enterprise to raise the profile of digital security and encourage everyone, from business leaders to private citizens, to protect their data from cybercriminals. The Cybersecurity and Infrastructure Security Agency (CISA) went all-in this year, producing its first-ever public service announcement, to air on TV and online, highlighting four aspects of cybersecurity that CISA hopes to amplify.
“Companies… have a role to play to secure our digital world,” CISA director Jen Easterly explained in an online video launching the campaign. “CISA is asking tech companies and software developers to secure our businesses and our individual customers by ensuring that their products are secure by design. That way, technology is secure right out of the box, and Americans are better protected.”
But it’s not just big tech companies that can make a difference. Enterprise leaders and security chiefs at organizations large and small in all industries can significantly boost their defenses by reading up on these four basic tenets of cybersecurity.
Companies have a role to play to secure our digital world.
We’ve made it easy. What follows are the four key issues for this year’s Cybersecurity Awareness Month, a tip from Easterly (in quotes and italics) on why each is important, and a link to the latest info from our coverage of these issues in the last year.
1. Use strong passwords | “Meaning long, random, and unique”
Passwords remain one of the weakest links in any enterprise’s computer network. The 2023 Weak Password Report by Specops, a password-management software firm based in Stockholm, analyzed more than 800 million compromised passwords – so we’re talking a pretty impressive sample size here – testing them against five regulatory standards, including NIST.
The bad news? A shocking number of compromised passwords – 83% – satisfied the length and complexity requirements of these standards.
The good news is that there were some pretty common foibles that are easily fixable, including length (88% of passwords co-opted in cyberattacks were 12 characters or less – so make yours longer), style (avoid all lowercase), and word choice: Soccer-related terms, including names of fave players like Lato, Pele, and Messi, are super popular, and (sorry, World Cup fans) hackers know this; and, yes, “password” is still one of the most common base words found in hacked passwords, so let’s just put that one to bed, agreed?
2. Turn on MFA | “You need more than a password on your most important accounts”
Here’s an important pivot: While strong passwords are important, passwords alone (no matter how strong) are not enough. That’s why CISA is also encouraging organizations to invest in multifactor authentication (MFA), which requires a username and password plus a temporary code or key sent to a user’s device.
Grim password facts: Hackers launch an average of 50 million password attacks every day – that’s 580 per second – and some 60% of data breaches are attributed to compromised credentials, according to Verizon.
And password resets are a budget killer: They’re a top reason workers call IT help desks, costing companies up to $70 per call, Forrester estimates, and more than $1 million annually for large organizations.
“Organizations aren’t going to chuck passwords overnight” – hence rule No. 1, above – “because doing so is complex,” explained Frank Dickson, a program vice president in IDC’s cybersecurity and trust research practice, in a story on passwordless trends we ran last fall. “But many are on that path,” he said.
Thanks to rising trust in zero trust as a cybersecurity model, organizations are increasingly implementing passwordless approaches like MFA, biometrics, and single sign-on (SSO) tools.
Not to give you whiplash, but it’s also true that MFA (some forms of it, at least) can be thwarted by hackers. It’s still one of the most effective verification methods out there, but certain, newer forms of MFA are better than others. Check out our story from this spring, below, which looks at how hackers are trying to get around MFA, and three tactics to defuse these attacks.
3. Spot and report phishing | “Think before you click”
“It started out to be a normal Friday for Alex in customer service. Nothing out of the ordinary….”
So begins an 18-minute audio story about a fictional – but very typical – cyberattack utilizing phishing and generative artificial intelligence (GenAI), produced by Dell and found on its website along with other resources and tools linked to Cybersecurity Awareness Month. (Take a listen by clicking here and scroll down to the link for “Audio story: A Modern Cyber Attack.”) Unfolding like a radio play, the tale points to the ways in which GenAI is making phishing emails and texts – those perilous messages sent to workers to try to trick them into clicking on links and revealing sensitive data – all the harder to spot.
Only a year ago, phishing messages were renowned for awkward phrasing and other typos that were giveaways to a scam in progress. But thanks to GenAI–fueled chatbots like ChatGPT, those messages are sounding increasingly real, and can even mimic a boss’s communication style, down to subtle nuances like phrases he or she frequently uses or words typically abbreviated or misspelled, thereby fooling employees.
And it doesn’t stop there. Voice phishing, aka “vishing,” in which scammers call you, is also on the rise (up 625% from 2021 to 2022, according to a recent report).
“Voice phishing can be more effective because people tend to let their guard down when they’re talking to someone,” explained KnowBe4 defense evangelist Roger Grimes, in a feature story Focal Point ran last fall. Check out the story below, which details how our writer was targeted by vishing scammers himself, and how business leaders can best train their workers to be vigilant.
4. Update software | “Enable automatic updates”
Too often, tech users think of software updates as optional, just the latest iteration of a product or tool with some new bells or whistles attached. Workers need reminding that software updates are also security-related, addressing vulnerabilities that need patching to keep us safer online.
Turning on automatic updates in the security settings of a device or application is a convenient way to get updates and one of the easiest ways to boost our cyberdefenses. (A tip for supervisors: It might be worth alerting your staff to CISA’s free webinar on keeping software up to date, being held Tuesday, October 24, 12-12:30 p.m. ET. To register, click here.)
For business leaders and security chiefs, the benefits of automation don’t stop there. Automating key security tasks like patch management, vulnerability management, and incident response can reap huge benefits. Threat intelligence feeds and security alerts can automatically trigger certain incident-response playbooks, depending on what is detected.
To the extent organizations can automate certain key security protocols, “they can substantially reduce their attack surface,” NCC Group senior security consultant Kenneth Swick told Focal Point. The story below highlights the ways automated tools and processes can assist security teams, threat hunters, and those building security operations centers.
TEST YOUR CYBER SKILLS!
Take this Pew Research Center quiz and see how well you can spot which password is most secure, define jargon (botnet? rootkit? DDoS?), and identify the truth about “private browsing” (which isn’t as private as you might think).