1. Use strong passwords and a password manager
Strong passwords are the first step to account security because poorly protected credentials become attack vectors. In fact, 15% of breaches analyzed in IBM’s Cost of a Data Breach Report 2023 occurred because of stolen or compromised credentials – second only to phishing at 16%.
In terms of setting strong passwords, an easy rule to abide by is that “length is strength,” and unique phrases are better than words in creating passwords that aren’t easily guessed. Strong passwords are:
- At least 16 characters long
- Never used anywhere else
- Randomly generated
One challenge that is ever present for internet users is how to protect the dozens (maybe hundreds!) of passwords they need to use. A password manager can store passwords and then secure them with one very long, unique, highly unguessable password in combination with MFA.
Periodically monitoring breached data aggregation sites such as HaveIBeenPwned to check whether your account information has been compromised and rotating any exposed credentials as soon as possible are also smart steps.
2. Enable MFA
Passwords often get leaked. To better protect accounts, more factors should be used beyond passwords to authenticate users, and MFA can help.
Applying a combination of factors to authenticate makes account compromise much more difficult. These factors include:
- Something users know, such as a personal identification number or a relative’s middle name
- Something users have, such as a confirmation text
- Something users are, such as a fingerprint or facial recognition
Typically, this level of protection is accomplished via a multifactor authentication code sent to a separate, known-good device such as a pre-enrolled phone. This simple extra step prevents adversaries from simply guessing a password and taking over an account.
Multifactor authentication is essential in protecting access, but hackers have a reputation for being one step ahead. They have created social engineering attack tools to defeat MFA, so MFA is not 100% foolproof.
3. Recognize and report phishing
By now, most people likely have heard of phishing attacks – and for good reason. According its 2023 report, IBM found that phishing attacks represented the second most expensive attack, and they cost organizations $4.76 million.
Because phishing is such a prominent threat, organizations invest in workplace training to help employees recognize and prevent these types of attacks. Such training is critical, as it’s important to remind all users that phone calls, emails, and texts might not be coming from trusted sources and should be questioned, even if they appear legitimate at first.
By taking a second look before complying with risky activities requested by these different communications, individuals can avoid becoming victims to bad actors, and they could even help prevent compromise of their organizations. Going a step further and reporting the phishing attack helps others from succumbing to various ploys.
Ultimately, security awareness training helps strengthen organizational security awareness efforts and prevent breaches – and it’s worth the investment of time and resources. According to a 2022 report on cybersecurity attitudes and behaviors by the NCA and CybSafe, 58% of the participants who had received training reported that they were better at recognizing phishing messages, and 45% said that they had started using strong and separate passwords.
4. Update software
Keeping software up to date is absolutely critical. Individuals and organizations should consider their whole digital footprint, including mobile devices, laptops, desktops, tablets, applications, web browsers, and operating systems when determining what needs to be kept up to date. Organizations typically have mechanisms to push updates to controlled devices, however, personal devices are still part of the equation. When pop-ups (from trusted sources) hit and request user approval to update applications, such updates should be allowed right away. Even better, users can choose to set software to update automatically.
Delaying updates could be disastrous, as adversaries are frequently reverse-engineering updates and developing exploits. It’s important to look beyond the main operating system and update individual applications as well, as they are often overlooked and offer a similar attack surface for adversaries to exploit.
Stay aware
Cybersecurity Awareness Month is the perfect opportunity to review individual practices and organizational policies to stay ahead of threats and remain secure in the modern, internet-connected world. By using strong passwords and a password manager, enabling MFA, recognizing and reporting phishing, and updating software, we can all do our part to secure our world.