Cybersecurity Month: What You Should Do All Year Long
October 11, 2022 by Emil Sayegh
With cooler weather ushering in the start of another fall season, it is also time to usher in another Cybersecurity Awareness Month. And just in time for this annual focus on cybersecurity we’ve seen two major security breaches in just the last two weeks: Uber and Take-Two Interactive. Since 2004, the president of the United States and Congress have declared October to be Cybersecurity Awareness Month. During that month, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) lead a collaboration between government and industry to raise cybersecurity awareness domestically and globally.
Cybersecurity Awareness Month serves as a needed reminder for many that highlights the continued risks and significance of cybersecurity in general. The recent 800% rise in cyber-threats points to the fact that awareness needs to be year-round. That is why we call attention to these five useful and proven tips for your organization:
#1: Improve on Identity and Authentication
Identity and Authentication are generally regarded as gateways to a major data compromise, and there are a handful of best practices that serve as the front-line for protecting sensitive data:
It all starts with strong passwords and password policies. Enforce these wherever you can and from the perspective of personal behavior, don’t reuse passwords on multiple sites. Hopefully, passwords are not the only thing standing between your accounts and the critical or personal information they contain. Additionally, multi-factor authentication (MFA) is an absolute must-have in the wild world we live in. Although MFA alone is not fool proof, it is a critical step in ensuring the proper gatekeepers are in place for a comprehensive security posture.
That leads us to Zero Trust, which is a principle that organizations should be driving toward at full speed. Zero Trust treats every system and every use with the utmost of caution, using encryption, biometrics, MFA, and every means necessary to validate everything, everywhere, at any time. Both the Uber and Take-Two Interactive breaches this September are driving renewed focus on this important security approach.
#2: Embrace End-to-end Encryption
Not so long ago, data protection meant something that was fortified with a strong perimeter to defend it. As we have moved to a nimbler, cloud-based and distributed foundation and workforce for all we do, locked away data can no longer guarantee security as it flows from endpoints, through networks, to mega data systems.
The only way to make security possible is with full encryption and it is a principle you should implement everywhere for data in transit and at rest. Most cloud systems have this figured out, but when you secure your endpoints, your mobile phones, your applications, your email, and enforce those aspects of security throughout the data lifecycle, your security risks will see significant reductions.
#3: Update Software and Systems
Take a moment to look at your software updates and device patching regimen. This basic exercise assures that you are implementing the best possible versions of the firmware and software you use every day. It also pays to take an inventory of the software you don’t regularly use and that may be adding risk to the background. The same applies to devices such as firewalls, routers, and networks, as vendors work to address discovered vulnerabilities through patches and platform updates designed to improve security. Many of the technical exploits that are reported can be traced to system vulnerabilities that were discovered through scanning by malicious third parties.
Severe vulnerabilities typically drive rapid updates, so at times there may be a balance between managing security updates against the requirements of stability. However, in most cases, things like automatic and routine updates can only serve to improve your overall security.
#4: Educate on Cybersecurity
Many threats are levied against the front line, from social engineering to technical means, and these threats are often the first domino to fall in a sequence of events. One of the most common tactics is the use of phishing, which has been around for decades but continues to evolve. Not so long ago fake emails were easily spotted because of bad spelling and grammar but that is no longer the case. Criminals spoof trustworthy institutions and brands with similarly named domains, pirated logos, and entire pages that look like the real thing.
To blunt these deceptive tactics, cybersecurity training is one of the best investments an organization can make to bolster a culture of cyber-awareness. When users know what to look for and become familiar with the tactics that bad actors use to gain access to sensitive accounts and information, they can report suspicious activity such as phishing emails to IT.
#5: Revisit Your Breach Readiness Plan
Few people think about it – it is uncomfortable notion in its very nature, but you must be ready for the unthinkable and prepare your planned response in the case of a cyber-event. And this must be done in regular intervals. Hopefully, a breach is something you rarely if ever encounter, but when you have an updated readiness plan in place, it makes all the difference in the world when the need arises.
A breach readiness plan ensures that everyone understands their roles and responsibilities in not only preventing, but responding to an incident, no matter how minor or severe it might appear to be.
Let’s Keep it Going
If we all commit to revisiting these tips throughout the year on a weekly, monthly, or maybe even bi-monthly basis we promote a culture of cybersecurity awareness within. We need to each assess where our respective organization is in terms of cybersecurity maturity, and move it forward with these principles in mind. Maintaining a proactive and not a reactive approach to cybersecurity is the end goal of awareness, and your security baseline will thank you for it.
This article was originally published in Forbes, please follow me on LinkedIn.