Cybersecurity Awareness Month 2022 runs from October 1 to October 31, with the month of October having been dedicated to improving awareness about cybersecurity since 2004. Throughout October, the U.S. Cybersecurity and Infrastructure Security (CISA) and the National Cybersecurity Alliance (NCA) will lead a collaborative effort between government and industry to improve cybersecurity awareness in the United States and beyond.
The theme of Cybersecurity Awareness Month 2022 is “See Yourself in Cyber.” Cybersecurity can be complicated but ultimately cybersecurity all boils down to people. The majority of cyberattacks and cases of online fraud are due to human mistakes and a lack of security awareness. The See Yourself in Cyber theme is therefore focused on the role every individual can play in preventing cyberattacks and avoiding online fraud by making smart decisions.
Everyone should have a security mindset regardless of their job or role. For individuals, that means being aware of risks, taking steps to protect privacy online, and not taking actions that could put their employer at risk. For vendors and suppliers that means ensuring they have implemented strong cybersecurity safeguards to prevent cyberattacks and data breaches at their own company or further down the supply chain. This will help them to protect their brand and reputation. Owners and operators of critical infrastructure should be aware that their networks and systems are relied upon by a much larger ecosystem, and they should learn about the actions they need to take to ensure the cybersecurity of that larger ecosystem.
In previous years, the four weeks of October have had a different theme; however, Cybersecurity Awareness Month 2022 will see CISA and the NCA focus on four important behaviors that everyone should adopt. Each of these behaviors can have a huge impact on personal cybersecurity and the cybersecurity of organizations.
- Enabling multi-factor authentication
- Setting strong passwords and using a password manager
- Keeping software up to date
- Recognizing and reporting phishing
With multifactor authentication enabled, accounts are protected with more than a password. This is important, as passwords can be stolen or guessed. With multifactor authentication enabled, in addition to providing the correct username and password, at least one additional step is required to authenticate the user before access to the account is granted. That could be answering a security question, entering a one-time passcode sent to a mobile device, using an authenticator app, a biometric identifier such as a fingerprint, or a secure token, such as that provided by a physical key fob. Multifactor authentication can thwart the majority of automated attacks on accounts.
Strong Passwords and Password Managers
A password is used to prevent unauthorized access to an account, but the problem with passwords is they can be guessed and no password is unguessable. Given enough time, passwords can be cracked using brute force methods – trying one password after another until the correct one is guessed. The latest GPUs make short work of that. A password of 6 characters, no matter what those characters are, can be guessed instantly. Even a password of 8 characters with numbers, upper- and lower-case letters, and symbols can be cracked in no more than 39 minutes.
Passwords should consist of at least 12 characters, be complex, and be unique for all accounts. If your password is sufficiently long and complex, it doesn’t need to ever be changed. However, since most people will have to set dozens of passwords, it will not be possible to remember them all so a password manager should be used. With a password manager, passwords do not need to be remembered – only one long complex password buts be remembered – The password that is used to access the password manager’s password vault. Password managers are low cost and there are even free versions – Bitwarden for example has an excellent free tier. Just avoid storing passwords in browsers as this method is much less secure.
Keeping Software Up to Date
Vulnerabilities are regularly identified in software and operating systems, and it often does not take long for malicious actors to start exploiting vulnerabilities. Many of these vulnerabilities can be exploited remotely with no user interaction required. You should keep on top of software updates and ensure they are applied promptly, and ideally, set your software and operating system to update automatically. You should never install unofficial (pirated) software. The installers are often bundled with malware.
Recognizing and Reporting Phishing
Phishing is one of the most common methods used by malicious actors to gain access to accounts or install malware. Phishing is the use of deception to trick someone into taking an action that benefits the attacker. Phishing is mostly conducted via email but can occur via SMS messages, social media networks, websites, instant messaging services, or even over the phone. Many phishing attempts are easy to spot, but often great lengths are gone to hide these scams. The important thing to do it to stop and think before taking any action suggested in an email or message, whether that is clicking a link or opening an attached file. All phishing attempts or suspicious messages that have been received at work should be reported to your security team. If the phishing attempt came to a personal account, delete the request and consider blocking the sender through your email service.
Cybersecurity for Businesses
The above measures should be made a priority by all businesses, and Cybersecurity Awareness Month 2022 is the ideal time to start. Security awareness training should be provided regularly to the workforce and employees should be given the tools they need to make it easy for them to play a role in the cybersecurity of the organization. Provide them with a one-click option for reporting suspicious emails to the security team such as an email client add-on; provide them with a password manager to help them set strong passwords; teach cybersecurity best practices and conduct phishing simulations. Businesses should also ensure that cybersecurity is considered when making decisions about purchases of new products or services. Cybersecurity should never be an afterthought.