It’s October, so once again, Cybersecurity Awareness Month is here. For the last 23 years, security professionals in government and industry have collaborated to raise awareness about the importance of cybersecurity.
This year’s theme, “See Yourself in Cyber,” focuses on the important role individuals play. Cybersecurity can be a complex issue, but individuals are at the heart of successful risk mitigation efforts. In short, individuals who “see themselves in cyber” can make informed decisions, mitigate risk, and ultimately help make workplaces, schools, and homes safer and more secure.
So how can everyday users see themselves in cybersecurity? Three areas in particular provide opportunities for individuals to take proactive measures.
Many people rely on their internet service provider to connect them to the internet and, in many cases, even supply and manage the devices used to do so. But what if individuals acted as their own network administrators? It is actually easier than one might think.
Helpful guides exist for securing home networks, so home administrators don’t need to go out and get a degree in networking. Hands-on projects such as updating routers, changing administrator passwords and Wi-Fi network names, and disabling insecure settings can help build basic cybersecurity skills – and some people might even find they have a knack for it.
A solid first step for new home administrators is to lock down the router, such as with updated default, factory-set passwords, which can go a lot of different ways depending on the model. Beyond that, home administrators can try to configure a more secure domain name system server, such as Pi-hole. They can also follow a guide to harden their personal machines or even create a separate segment of the network (like the guest network) to house those pesky internet of things (IoT) devices that come with questionable security features.
Locking down home networks isn’t just a personal project. In a work-from-home world, home networks are extensions of organizational networks. Therefore, keeping home networks clean from viruses and malicious actors helps eliminate an attack vector for those aiming to gain unauthorized access to organizational resources.
Sometimes in organizations, people make decisions to use products or services based on a simple cost-benefit analysis. Making security a part of that criteria helps prevent future problems. For example, IoT devices in the office can aid in productivity and convenience, but will the manufacturers keep those devices up to date and patch critical vulnerabilities as they are discovered? Although it might not be obvious, the costs associated with allowing insecure devices on a network are significant, so security should always be factored into purchasing decisions.
Beyond devices, third parties have a huge impact on organizational security – even vendors that might not seem like they do. Some might comply with security requirements and perform self-assessments such as a system and organization controls (SOC) report. However, this step (among others) is not a guarantee of security. Individuals who make purchasing decisions should learn what data vendors will need access to and how those vendors plan to use it. Additional questions to ask include how the vendors plan on protecting the organization’s data and what network access might be granted to them.
Beyond a SOC report, purchasers should work with their organization to understand the standards for security that vendors must meet and attest to. They also should collaborate with the organization’s third-party management team to evaluate each vendor and determine how effective their security controls are. At the very least, a “right to audit” clause in the purchasing contract can provide the option in the future.
The most direct and obvious contribution individuals can make to their organization’s cybersecurity efforts is to remain vigilant and learn to recognize phishing attempts. Beyond phishing, however, it’s important for everyone to be aware of other similar threats that include entry into physical offices, phone calls, and texts.
Cybersecurity awareness extends beyond what goes on online. If located in a physical office, individuals should be empowered to confront people they don’t recognize or that don’t have identification clearly displayed. It might be uncomfortable at first, but allowing someone to physically gain access to sensitive areas, systems, and data is ultimately far more uncomfortable. Educating employees about the blind spots that enable social engineering cyberattacks is a key component of empowering them to make informed, careful choices.
Similarly, individuals should be made aware that rogue phone calls are often “vishing” (voice phishing) attempts. Disclosing any more information than necessary when speaking to strangers on the phone should be avoided. Bad actors on the other end of the line might not be trying to get users’ passwords, but they could still be mining for information as part of an attack.
Lastly, texts are not any more secure – “smishing” (text (SMS) phishing) is a real threat. Threat actors use zero- and one-click exploits to hijack cell phones and spy on users, so rogue text messages should be treated with the same hostility as unexpected emails.
It’s important for everyone to acknowledge the critical role they play in cybersecurity. By participating in cybersecurity awareness rather than just filing away email reminders about phishing or password hygiene, we can all help build a culture of cybersecurity and help make organizations more resilient to cyberthreats.