October does not only mean we get to enjoy pumpkin spice lattes and hot apple cider, but it is also National Cyber Security Awareness Month (NCSAM). According to National Initiative for Cybersecurity Careers & Studies (NICCS), this years’ theme is “Own it, Secure it, Protect it”. The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) co-lead the NCSAM initiative each year (NCSAM Toolkit).
With Lynx Technology Partners specializing in the delivery of dynamic cybersecurity and risk management solutions, we would like to provide some high-level best practices around cybersecurity awareness. We will offer them from two perspectives – that of the everyday user, and the perspective of organization/cybersecurity teams:
Everyday User – Advice We Can All Follow
So, what does “Own it, Secure it, Protect it” mean?
“Own it”: According to the 2019 NCSAM Toolkit, “Own it” relates to understanding our digital profile. Today our digital profile is weaved into all aspects of our lives – at home, work, school, etc. Awareness and understanding the impact that everyday technology has on our digital profile becomes increasingly important. Each of us should take steps to keep our information safe and secure.
“Secure it”: Once we own and understand our digital profile, it becomes imperative to “Secure it”. We all know that cybercriminals are experts in gaining access to information from unsuspecting victims. And their methods are getting more sophisticated as technology evolves. We can protect ourselves from cyber threats by learning about and utilizing security features available on the equipment and software we use (NCSAM Toolkit).
“Protect it”: Don’t become a victim of cybercrime! We need to understand, secure, and protect our digital profile. Good practices, such as completing updates, changing passwords, and checking privacy settings are imperative to make it more difficult for cybercriminals to find and exploit a lack of “cyber hygiene.” They will usually take the path of least resistance. We should generally error on the side of caution and report/follow-up on any suspicious activity.
Below a few tips to follow, not only during Cyber Security Awareness Month but every day, in order to stay protected:
- Double your login protection – employ two factor authentication when possible
- Change up your password protocol
- Do not use the same password in multiple places
- Keep tabs on the apps you use and download
- Avoid networks that are not secured
- Be cautious about posting/providing personal information on social media platforms, whether it is on your personal timeline, surveys/questionnaires, lists or during conversations
- Don’t fall for “phishy” emails
- Stay up to date with your anti-virus software
Advice for The Security Pro
Security Professionals understand the growing threat of attacks that face organizations every day. Attackers are getting more organized and increasingly persistent, while also understanding that most organizations face a shortage of qualified resources to deal with urgent security tasks. It is important to utilize the workforce as a first line of defense. Every employee should understand the important role they play in keeping the organization safe. They should receive adequate training to raise awareness and increase compliance with security policies. Training will also help employees understand that Security Professionals cannot and should not have to tackle this challenge in a vacuum. Here are four areas that most every organization can continue to improve upon to increase their security posture:
- Tie Business Risks and Information Security together
- Increase training and awareness
- Phishing prevention
- Mature Identity and Access Management
Information Security and Business Risk
Cybersecurity vulnerability threatens business financials, reputation and overall viability. It is extremely important to understand the impact different types of incidents may have on the business, so that the organization can better plan and prepare for different scenarios based on the organization’s risk appetite. Risk Management is an important element of this and aligns security priorities with the overall corporate vision and goals to protect critical digital assets and systems. Aligned in this way, organizations can accomplish more with fewer resources and investment.
Focus on these top five areas:
- Define and understand your risk appetite and tolerance
- Don’t confuse compliance with security
- Develop and implement policies and procedures
- Focus on training and awareness, increase accountability
- Manage Info Sec proactively, not reactively
Identity (Access) Management
Identity and Access Management policies and frameworks ensure the right people have access to the right data and systems, so that they can perform their jobs properly. Insider threats account for nearly 75% of security breach incidents, yet some companies still focus heavily on external actors and may ignore the threat from within. Identity and Access Management is an important step toward eliminating insider threats. Other benefits include:
- Reduced IT Costs
- Easier Reporting and Auditing
- Improved Remote Access
- Increased Productivity
- Better User Experience
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. Since many experts report that more than 90% of hacking attacks start with phishing emails, there is certainly cause for alarm. User training is key, so employees recognize a phishing attempt. Many organizations opt to run simulated phishing campaigns targeting employees to measure the effectiveness of the user training, which can be very effective.
Password Creation and Usage
As mentioned, this is an often-overlooked practice that is simple but effective. A strong password provides protection against one of the most common ways hackers access information. There are many techniques and technologies in place to improve password protection, but for organizations it is important to have a creation and usage policy in place that gets enforced.
In the end, cyber security should not just be a priority for one month out of the year, it is something that should be incorporated into company processes and policies and practiced every day.
Use these tips and keep an eye out for more information throughout the month to help you on your journey to cyber security!