Cybersecurity Awareness Month: Securing our world

Michael Salihoglu
| 10/2/2023
Securing our world

October is Cybersecurity Awareness Month, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA). This year, CISA announced a new, evergreen theme for cybersecurity awareness — "Secure Our World" — which can inform organizations' security efforts during the month of October and year-round. In this article, a Crowe cybersecurity professional discusses specific actions that individuals and organizations can take to strengthen their security posture.

Raising cybersecurity awareness helps protect everyone, and these four proactive actions are a good place to start.

October has been known as Cybersecurity Awareness Month since 2004. Over the years, the sponsoring organizations have focused on various themes to raise awareness about why cybersecurity matters and about proactive actions individuals and organizations can take.

This year, as they did in 2022, CISA and the NCA suggest four ways to stay safe online and to strengthen cyber resilience: use strong passwords and a password manager, enable multifactor authentication (MFA), recognize and report phishing, and update software.

Sign up to receive the latest cybersecurity insights on identifying threats, managing risk, and strengthening your organization’s security posture.

1. Use strong passwords and a password manager

Strong passwords are the first step to account security because poorly protected credentials become attack vectors. In fact, 15% of breaches analyzed in IBM’s Cost of a Data Breach Report 2023 occurred because of stolen or compromised credentials – second only to phishing at 16%.

In terms of setting strong passwords, an easy rule to abide by is that “length is strength,” and unique phrases are better than words in creating passwords that aren’t easily guessed. Strong passwords are:

  • At least 16 characters long
  • Never used anywhere else
  • Randomly generated

One challenge that is ever present for internet users is how to protect the dozens (maybe hundreds!) of passwords they need to use. A password manager can store passwords and then secure them with one very long, unique, highly unguessable password in combination with MFA.

Periodically monitoring breached data aggregation sites such as HaveIBeenPwned to check whether your account information has been compromised and rotating any exposed credentials as soon as possible are also smart steps.

2. Enable MFA

Passwords often get leaked. To better protect accounts, more factors should be used beyond passwords to authenticate users, and MFA can help.

Applying a combination of factors to authenticate makes account compromise much more difficult. These factors include:

  • Something users know, such as a personal identification number or a relative’s middle name
  • Something users have, such as a confirmation text
  • Something users are, such as a fingerprint or facial recognition

Typically, this level of protection is accomplished via a multifactor authentication code sent to a separate, known-good device such as a pre-enrolled phone. This simple extra step prevents adversaries from simply guessing a password and taking over an account.

Multifactor authentication is essential in protecting access, but hackers have a reputation for being one step ahead. They have created social engineering attack tools to defeat MFA, so MFA is not 100% foolproof.

3. Recognize and report phishing

By now, most people likely have heard of phishing attacks – and for good reason. According its 2023 report, IBM found that phishing attacks represented the second most expensive attack, and they cost organizations $4.76 million.

Because phishing is such a prominent threat, organizations invest in workplace training to help employees recognize and prevent these types of attacks. Such training is critical, as it’s important to remind all users that phone calls, emails, and texts might not be coming from trusted sources and should be questioned, even if they appear legitimate at first.

By taking a second look before complying with risky activities requested by these different communications, individuals can avoid becoming victims to bad actors, and they could even help prevent compromise of their organizations. Going a step further and reporting the phishing attack helps others from succumbing to various ploys.

Ultimately, security awareness training helps strengthen organizational security awareness efforts and prevent breaches – and it’s worth the investment of time and resources. According to a 2022 report on cybersecurity attitudes and behaviors by the NCA and CybSafe, 58% of the participants who had received training reported that they were better at recognizing phishing messages, and 45% said that they had started using strong and separate passwords.

4. Update software

Keeping software up to date is absolutely critical. Individuals and organizations should consider their whole digital footprint, including mobile devices, laptops, desktops, tablets, applications, web browsers, and operating systems when determining what needs to be kept up to date. Organizations typically have mechanisms to push updates to controlled devices, however, personal devices are still part of the equation. When pop-ups (from trusted sources) hit and request user approval to update applications, such updates should be allowed right away. Even better, users can choose to set software to update automatically.

Delaying updates could be disastrous, as adversaries are frequently reverse-engineering updates and developing exploits. It’s important to look beyond the main operating system and update individual applications as well, as they are often overlooked and offer a similar attack surface for adversaries to exploit.

Stay aware

Cybersecurity Awareness Month is the perfect opportunity to review individual practices and organizational policies to stay ahead of threats and remain secure in the modern, internet-connected world. By using strong passwords and a password manager, enabling MFA, recognizing and reporting phishing, and updating software, we can all do our part to secure our world.

Manage risks. Monitor threats. Enhance digital security. Build cyber resilience.

Discover how Crowe cybersecurity specialists help organizations like yours update, expand, and reinforce protection and recovery systems.