By Nick Gerbino and Antonina McAvoy, CISA, CISM, QSA, PCIP
IN THIS ARTICLE:
October 2023 marks the 20th Cybersecurity Awareness Month – an annual campaign designed to raise awareness of cybersecurity, both at home and at work. It “is a collaboration between government and private industry to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime.”
Secure Our World Program
This year, CISA (Cybersecurity and Infrastructure Security Agency) has announced a new awareness program called Secure Our World.
The Secure Our World program promotes four basic actions that everyone should take to stay safe online:
- Use strong passwords (and a password manager)
- Turn on MFA (multifactor authentication)
- Recognize and report phishing
- Update software
Use Strong Passwords
It is important to use a unique, strong password for each online account, especially as the username will tend to be similar from account to account; often, usernames are simply the email address.
Using different, strong passwords for each account means that even if one account is compromised in a data breach or cyberattack, others will be safe from brute-force attacks.
A strong password is long and complex, using a random mix of uppercase and lowercase letters, numbers, and special characters. A long password length greatly reduces the risk of the password being cracked.
If remembering long strings of characters seems impossible, try using a passphrase comprising three or four random words that are memorable but will be hard for others to guess.
Password managers can save time, work across all devices and operating systems, protect user identity, and incorporate alerts when a password could have become exposed to hackers. Prevailing myths about password managers being unsafe are largely untrue. CISA recommends these six password managers that offer a variety of free and paid services for personal or business use.
Turn On MFA
Multifactor authentication (MFA), sometimes known as two-factor authentication, helps ensure that even if someone does learn a password, the account remains secure. There are different forms of MFA, including an extra pin number, security question, code sent via email or text, a standalone app, secure token, or biometric identifiers.
We recommend turning on MFA for personal and business accounts, especially for banking, health, social media, and retail websites as well as email. Note that if MFA is turned off by default but it is available, turn it on.
Ransomware Assessments
Organizations with remote users connecting to their workplace systems could be at increased risk of cyberattacks. The rapid increase of remote access due to remote and hybrid work arrangements requires increased organizational risk management. At the same time, organizations must be prepared for ransomware attacks as threat actors focus on generating revenue streams by extorting users and organization of all sizes.
There are two types of cybersecurity audits to help small and medium-sized organizations better prepare for the current threat landscape: Identity and Access Management (IAM) and Ransomware Readiness assessments.
Recognize and Report Phishing
Phishing attacks are how most malware spreads and how most successful cyberattacks start. They are communications – usually emails, but increasingly social media messages and posts or SMS text messages to a cell phone – that look like they are from a trusted person or organization.
The messages usually create a false sense of urgency to encourage recipients to click a link or open an attachment. However, doing so will either result in malware being installed on the device or a fake website that will harvest any credentials that are entered.
Be sure the sender is recognizable, including the email address, and that the email was expected. Hover over links or attachments before clicking to ensure it is legitimate. If in doubt, reach out to the sender by phone or by composing a new email.
What is Phishing?
Phishing is when hackers send an email to bait the recipient into responding, clicking on a link, or opening an attachment. Phishing emails attempt to trick the person into revealing sensitive information, such as login credentials, personal information, or financial details. These emails are typically disguised to appear as if they come from a legitimate source, like a reputable company, government agency, or a friend or colleague.
How does one identify a phishing email?
The signs can be subtle, but once a phishing attempt is recognized, users can avoid falling for it. Before clicking any links or downloading attachments, take a few seconds and ensure the email is legitimate. With some knowledge, the phishers can be outsmarted!
Here are some quick tips on how to spot a phishing email:
- “EXTERNAL” Tag: Is the sender from someone within the company? The “EXTERNAL” tag is not applied to emails that originate within the organization.
- Deceptive Sender: Phishers often use fake email addresses or impersonate well-known organizations to make the email seem legitimate. They might use logos, email headers, and formatting that mimic the real company.
- Urgent or Threatening Language: Phishing emails often use emotional tactics, such as urgency or fear, to make recipients act.
- Fake Links: Phishers include links within the email that appear to lead to legitimate websites but direct recipients to malicious sites designed to steal information. Always hover the mouse cursor over links to see the actual URL before clicking.
- Attachments: Phishing emails may contain malicious attachments, such as infected files or documents. Opening these attachments can infect the device with malware.
- Request for Personal Information: Phishing emails often ask for sensitive information, such as username, password, credit card numbers, social security number, or other personal details. Legitimate organizations usually do not request such information via email.
- Grammatical and Spelling Errors: Many phishing emails contain typos, grammatical errors, or awkward phrasing. These mistakes can be a red flag.
- Unusual Sender Requests: Be suspicious of emails requesting money, gift cards, or wire transfers. Scammers may pose as a friend or family member in need of help.
- Unsolicited Emails: If an email is from an unexpected or unknown source, be cautious.
Uh oh! I see a phishing email. What do I do?
The hard part is recognizing that an email is fake and part of a hacker’s phishing expedition. Then:
- Report the email: Report to the IT department as quickly as possible (for business emails).
- Do not act: Do not respond, click on links, or open attachments.
- Delete: Delete the email from the Inbox and Deleted folders.
Update Software
Most cyberattacks are automated, so they require practically no skill to execute, are cheap and easy to run, and are indiscriminate, looking only to exploit common vulnerabilities rather than specific websites or companies.
It can be frustrating to update software sometimes, but it is also necessary. When devices, apps, or software programs (especially antivirus software) notify users that updates are available, the updates should be installed as soon as possible. Updates close security code bugs to better protect online data.
Cybersecurity awareness starts with you! The more that individuals know how to recognize potential cyberattacks, the more secure everyone’s data will be. It only takes one click for a cyber threat to turn into a breach.
For more information about cybersecurity awareness, contact author Nick Gerbino, Information Security Officer at PBMares.
To find out how to better protect your organization from cyberattacks, including risk advisory, business continuity planning, cyber risk assessment, information security awareness training, and more, contact Cybersecurity Team Leader Antonina McAvoy.