Any InfoSec manager worth their salt – or IT manager, for that matter — will tell you that every day should be cybersecurity awareness day. But as the saying goes, “if everyone’s special, no one’s special.” So, it is worth designating a special time to raise cybersecurity awareness, even though in reality, we should be attending to it at ALL times.
To this end, the US Department of Homeland Security (DHS), in partnership with the National Cybersecurity Alliance has designated October as “National Cybersecurity Awareness Month (NCSAM),” a tradition that started in 2003. The theme for this year’s NCSAM is “Do Your Part. #BeCyberSmart.”
Fortunately, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has gone beyond catchy slogans to publish a set of very useful Tip Sheets that are available to copy, distribute, summarize, or adapt to support user education efforts, without any copyright restrictions.
As an InfoSec or IT professional, you are undoubtably doing everything you can to secure your information infrastructure to the fullest possible extent. But as you well know, any chain is only as strong as its weakest link. Educated and vigilant users are a vital element of your cybersecurity strategy – perhaps one of the most vital, since infrastructure can do only so much to protect against user error.
So, with that in mind, we are pleased to feature some the major points that CISA recommended emphasizing to users during National Cybersecurity Awareness Month – and every month.
Cultivate a “Zero Trust” Mentality
The dominant approach to data security today is Zero Trust — regarding everything, every user (inside or outside your physical facility), every website, every downloaded document, as untrusted unless proven otherwise. You can read more about how to apply this principle to protect your organization in our recent blog post marking “Ten Years of Zero Trust – From Least Privilege Access to Microsegmentation and Beyond.”
Getting into the “Zero Trust” weeds is not necessary for most users, but it IS vitally important that they pay attention and be circumspect (read: suspicious.) They should know that if they get an email that is at all out of the ordinary, they should take a close look at the email address before opening it. Hackers on “phishing expeditions” will often create a “from” email address that looks very similar to a legitimate address, including the sender’s name. But if it’s not the sender’s normal email address, that’s a hint that something could be phishy.
One of the most important things users can do to protect themselves – and your organization — against phishing attacks is to be very, very careful before clicking on any email addresses or links within an email. It’s child’s play to display a different email address or link than the actual one . There’s an easy way to check. Simply hover an email or link before you click it, and make sure that what shows in the hover is the same as what’s in the text. For example, hover over this link: https://O365.MirosoftOnline.com/login . If a user clicks on that link, it will not take him anywhere he – or you — want him to go.
Once someone’s email has been hacked, their account may send messages that are really from that account – only they are hacked messages loaded with malware. One of the newer phishing scams involves people who hack into LinkedIn accounts, and then send messages from that hacked account. The messages actually come from your connection’s account, but not from the connection: It’s a cybercriminal who is actually sending it, along with a link that installs malware on your device when clicked.
On the infrastructure side, an important and highly effective way to protect against users who click on the wrong link, despite your best educational efforts, is to install Remote Browser Isolation (RBI). RBI isolates any potential damage from phishing and other website-based social engineering attacks away from your network, vastly reducing the risk from human factor errors that inevitably occur.
Don’t be Lazy About Passwords
Users often can’t want to be bothered with good password hygiene, leaving them vulnerable to brute force attacks. Remind them:
- Not to make cyberthieves’ job easy. Use long and complex passwords. Some of the most common passwords are 123456 and “password.”
- Not to reuse passwords. A cyber break-in in one place shouldn’t give the bad guys keys to all of a user’s goodies.
- To use a password manager. It enables users to have unique, long, and complex passwords for every site without driving yourself crazy.
- To use multifactor authorization whenever it’s offered.
Be Careful When Travelling
When on the road, users should be aware of these additional risks and recommendations:
- “If you connect it, protect it.” Anything that’s connected to the internet, whether it’s a laptop, smartphone, tablet, game device, or anything else, should be protected. That means keeping all software up to date and patches applied.
- Backup before setting out. Make sure all important information is securely backed up, so that if a device is lost, stolen, or hacked into important data won’t be lost.
- Turn autoconnect off. Some devices may automatically connect to networks, which could be a very bad idea – a cybercriminal might access the device the second the user logs on.
- Make sure any networks used are legitimate – in other words, make sure it’s really the hotel’s network you’re logging into, not some other network. If logging in from an unsecured public access point, such as a coffeeshop, avoid doing anything involving sensitive information.
- Be aware of physical security. Don’t leave any equipment, including USB or other storage devices, unattended in a public place.
True cybersecurity is a joint venture between organizations and their users. National Cybersecurity Awareness Month is a great time to educate your users on the things they can do to help keep both their own personal data and the organization’s data safe.