Cybersecurity awareness is personal

Personal data breaches and account compromises can be devastating for organizations. But for individuals, cyberattacks are personal. Financial assets, personal information, identity documentation, personal media, and a sense of security are just some of the things that can be lost. That’s why cybersecurity awareness isn’t just a concern for organizations or a topic in the news; it’s a necessity.

Luckily, individuals can do a lot, proactively, to avoid trouble. In line with CISA’s Cybersecurity Awareness Month focus, users can do four things to become more secure online, namely enabling multifactor authentication (MFA), using strong passwords, recognizing and reporting phishing, and updating software.

Let’s get into it:

1. Enabling multifactor authentication

Multifactor authentication can seem like just an annoying extra step that banks and other organizations require. Why is it so important?

MFA provides an additional layer of protection when logging into sensitive and potentially targeted resources such as banking websites, work portals, and other online resources. It uses a combination of at least two of the three types of independent mechanisms for verifying users are who they say they are. These mechanisms include something only the user knows, something only the user has, or something only the user is.

A website requiring only a username and password, for example, generally asks for something the user knows (the password) – that’s all. If an attacker can surmise or compromise the password, there is nothing additional they need to log in. But when MFA is in place, a second form of authentication is required to prove the user is legitimate. The secondary form of authentication often involves receiving and responding to a multifactor code on a smartphone (something the user has). Other forms of MFA include biometric scanning, physical key fobs, and voice recognition.

So, what can users do to increase online safety with MFA? It’s simple: They should use it as much as possible. MFA controls are often optional on many personal online resources such as email inboxes, media and cloud storage services, and online shopping sites. But optional doesn’t mean unnecessary.

Users can go one step further and centralize MFA registrations using common authentication apps such as:

• Microsoft™ Authenticator
• LastPass Authenticator
• Google Authenticator
• Duo Security

Not all online services support using authenticator applications, but using these services rather than SMS text multifactor options is preferable, as SMS MFA is not as secure.

Individuals should also be aware that hackers sometimes attempt to mimic MFA as a means to break into accounts. If users receive any MFA requests through SMS or authenticator apps but are not actively attempting to log into a service, they should not approve or respond to the requests. If this situation occurs on a personal account, users should immediately identify the online service in which the login attempt was made and change their password, and if it happens on a work or business account, users should contact the organization’s IT help desk or security department.

2. Using strong passwords

The best practice of using strong passwords is not new, but it’s critical. Passwords should be at least 15 characters in length and optimally include numerals, symbols, and upper- and lowercase letters.

Creating and using strong passwords might sound like a no-brainer, but the majority of users still tend to use and reuse less secure passwords for the sake of convenience and because remembering dozens of unique, strong, and complex passwords is just not feasible. To increase password security, individuals can rely on several techniques, including:

• Using a password manager. Password managers are a great way to streamline account access and security. They allow users to centrally store account login info and configure strong passwords that are computer generated. Default, built-in, browser-based password managers are not ideal, especially if the device being used is shared between individuals.

  Free and paid versions of password managers are available that can be just as efficient in providing strong passwords and securing accounts without solely relying on device and browser security controls. When users find a password manager they like, it can become the main place to go to access online resources without ever having to enter a password into additional websites. 

• Creating a strong master password with MFA. Once using a password manager to store and manage account credentials, it is extremely important to create a strong master password. The master password to a password manager is essentially the keys to the user’s data kingdom.

  If using a password manager, users will only ever need to remember one password, so it should be as strong as possible. By enabling MFA on their password managers, users can keep account management information safe.

• Using passphrases instead of passwords. A passphrase is a sentence-like string of words used for authentication that is longer than a traditional password. It’s easy to remember and difficult to crack.

  Instead of trying to think of a strong password, users can create a short, easily remembered phrase or sentence. For example, the phrase “secure my cyber world” could be turned into a passphrase by adding and subtracting characters and switching spaces and letters to numbers and special characters to become “S3cur&m1c^b3rw0rlD.” Users might need to slow down and think about each character while typing in the passphrase the first few times, but it will soon become muscle memory and might become the very last passphrase they ever have to remember. Any new passwords can be randomly generated and stored in the password vault. By using a passphrase, users can set it and forget it.

• Testing passwords. Anyone who has been online for any period of time has likely been involved in an information breach or hacking incident, and their passwords might have already been compromised. Users can take advantage of certain websites, including HaveIBeenPwned, to determine which accounts might be vulnerable.

  Password management solutions can help test password strength and security. Once users save account and password info in a robust password management solution, the password vault can identify which passwords are weak or reused to help users reconfigure safe and secure passwords. Users can also test individual password strength with trusted online resources, such as a password security tool.

3. Recognizing and reporting phishing

Phishing is when a threat actor or hacker poses as a trusted source and sends fraudulent digital messages, such as email, with the intent of manipulating individuals into revealing personal information, gaining unauthorized access to a system, or installing malicious software through a download file or link. Phishing exploits the first line of defense in cybersecurity – people.

Security controls on devices and online accounts can all be negated if individuals unknowingly provide hackers access or a foothold into their online worlds. According to the Verizon 2022 Data Breach Investigations Report, 82% of breaches relied on the human element, whether through social engineering, error, or the most successful tactic: email phishing.

Individuals should pay special attention to every email they receive and think through the following questions before opening them:

• Was I expecting this email? Emails from unusual sources should be suspect.
• Is this a sender address I trust? Users should hover over the email address to make sure the email matches the title.
• Does the formatting, logo, sender address, or action request in the email seem off? If so, users should not respond, click links, or download attachments.
• Do these links or attachments look legitimate? Hovering over link and attachment names will reveal the redirection address, and if an address seems suspicious, the safest move is not to click on it.

Above all, users should never open an attachment unless they know the sender and were expecting an attachment, and they should be suspicious of any email that wants them to follow a link to a website. Additionally, any email believed to be a phishing attempt should be reported. Email platforms have different spam and phishing report options, and phishing emails on work or business email need to be reported according to the organization’s standards.

4. Updating software

Just as organizations manage device updates and software management, individuals should make sure they’re following similar best practices. Keeping software up to date is a crucial part of securing digital information. While some software and operating system updates just provide new or adjusted functionality and features, others include updates to fix vulnerabilities. Any security software like anti-malware, credential managers, and VPN software needs to be kept updated as well. If these solutions don’t remain up to date, they cannot effectively protect devices and information.

Taking an inventory of personal devices and identifying if any updates are available for apps, software, and operating systems is a good idea. Removing apps and software that are no longer in use can reduce overall exposure.

Cybersecurity awareness is a 24/7 effort

Cybersecurity Awareness Month is a great time for organizations and individuals alike to assess their network and device security. But cybersecurity awareness is also a 24/7, year-round exercise.

By staying informed, monitoring devices and networks, being cautious online, and dedicating time and attention to security best practices, we can stay productive and safe online.