Summary: National Cybersecurity Awareness Month is upon us, and there’s no better time to brush up on your security hygiene practices. Short on ideas? Overwhelmed and don’t know where to start? Just brought on a batch of new remote workers and already afraid they’re walking liabilities? Check out these six suggestions for improving your cyber safety this month.

 

October is National Cybersecurity Awareness Month. While it might be years before you’re invited to a BBQ in its honor, the month certainly is gaining more relevance with each passing year. 93% of company networks are now breachable by hackers, one source notes, and nearly 1 in 3 organizations say they don’t have the funding for proper cyber protection. With that in mind, any month might be a good month to be more cyber aware. Now, who wants a laundry list of next-gen security solutions you’ll have no idea how to configure?

Not many, it’s safe to bet. That’s why this year’s theme is “See yourself in cyber,” meaning that although cybersecurity can make most everyday users throw up their hands, the simple truth is that it’s all about people. Keeping that in mind, here are some key tips to staying cyber-safe this month – for an individual, small business, or enterprise.

What is National Cybersecurity Awareness Month

First off, whose idea was this? Back in 2004, the President and Congress declared October National Cybersecurity Awareness Month, in an effort to get people to think more seriously about protecting digital assets that – after the naïve and optimistic dot com era of the 1990s – very much needed protection. The problem was that we didn’t bake in security measures back then, so we have to go back and fill in the gaps now. And we’re still filling.

Cybersecurity Awareness Month is “a collaboration between government and private industry to raise awareness about digital security” and is headed by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA). helps people know how to better secure their data online. Visit the NIST website and find ways to get involved, resources for getting started, a great section on Telework Security Basics and Securing Conference Calls and a ton of other things we’re still unsure if we’re doing right.

If ever there was a time to slow down and take stock of your security assets, it’s now. How safe are your remote workers? Are they all using the company VPN? Do they have MFA on every device (especially those BYODs (bring your own devices) and connected IoT (Internet of Things) devices)? When’s the last time they’ve had phishing training? How safe is your network in-office when many hybrid workers transfer between devices connected to home (or public) Wi-Fi and your office ethernet? Do they even badge in?

We’ve been in a headlong rush towards getting digitally connected, and that goes for schools, salons, grocery stores, and major retail chains. Just about everybody. This month of this year is significant because we’ve had enough time to spin up something significant, cloud architecture is everywhere, everyone is online and past the initial transition stage – and now we need to look around and ask ourselves if we’re doing it right. Will what we just set up be sustainable? Or are there major security gaps? That’s the purpose of National Cybersecurity Awareness Month.

How to “Celebrate” Cybersecurity Awareness Month

Don’t expect parades or floats, gifts or cards, flowers or chocolates, or TikTok challenges. No, it’s more like a version of Hunger Games. The best way to honor the game is to not die. In other words, the best thing you can do for Cybersecurity Awareness Month is to find new ways to NOT GET HACKED. If you’re short on ideas, here’s a good six. If you’re already doing these, just wait until next October. There’s sure to be more (and you’ll need them).

  1. Multi-Factor Authentication (MFA) is a must. Usernames and passwords are frequently guessed, stolen, or cracked. Adding another form of authentication increases your chances of safety by an order of magnitude. Try biometrics, an SMS-based pin, an authenticator app, a token-based entry, or an extra PIN.
  2. STRONG passwords. If you do use (only) a password, or if you use one at all – which is most everyone, even with MFA – then you need to play by the rules. They should be 12-18 characters in length, include symbols, numbers, and CAPS, and never be reused. You know the drill. Also, consider a password generator (which randomizes them to the Nth degree) and a password manager.
  3. Keep your software updated. Hackers go for the low-hanging fruit. They’re not going to waste resources on a sophisticated APT (Advanced Persistent Threat) if they can get in through a stale vulnerability and wreak the same havoc. A study conducted by researchers from the Institute for Internet Security at the Westphalian University of Applied Sciences analyzed over 5.6 million websites and found that 95% of websites run on outdated software with known vulnerabilities. Yikes. Patch, patch, patch. And update.
  4. Report phishing. If you see something, say something. Don’t assume most people will spot the same nonsense and stay away (or that you will for that matter). 90% of all data breaches arise from successfully landed phishing attempts notes CISCO’s 2021 Cybersecurity Threat Trends report. Security awareness training helps.
  5. Map to MITRE ATT&CK. The MITRE ATT&CK framework is the most exhaustive and up-to-date resource for all known threats across the globe. Take a look at your security stack and make sure the tools you have are the ones that can block these threats. You can consider this a bare minimum for cyber safety as fileless malware and many emerging risks don’t even make the list.
  6. Secure by industry. Due to geopolitical tensions, critical national infrastructure subsets like water, gas, healthcare, and electricity have been hit hard (Colonial Pipeline notably). This is largely due to a lack of cybersecurity compliance and uniformity within the sectors. CISA, the FBI, and the NSA have warned about these risks, so make sure you know the government-mandated compliance specifications for your industry.

Like it was stated in Forbes, “Not everyone in an organization needs to understand concepts like SPF records and DNS cache poisoning, but empowering every employee with information relevant to their role helps them stay safe online—both at work and home.” That’s true. And it’s also true that in an enterprise, or even small business, you’re going to need to know those things like DNS cache poisoning and mapping to MITRE and locking down authentication across multiple cloud applications. That’s why a CISO could help, or even an advisor. ITEGRITI is a cybersecurity consulting and advisory firm that can help you figure out where to being. It can be overwhelming, especially if you’ve implemented some solutions, but aren’t sure if you’ve got gaps.

They can help you design a cybersecurity program from the ground up, help you create a secure app, prep you to meet compliance and regulatory requirements, connect you with their  Managed Security Services (including a vCISO), or just help you Get Stuff Done. National Cybersecurity Awareness Month is one of the biggest industry-wide pushes for cyber resilience, and it helps to have help on your side. Learn more about how ITEGRITI can bolster your cybersecurity strategy this Awareness Month.