October is Cybersecurity Awareness Month! That means now is the perfect time to review your security awareness and practices—especially in light of recent data showing that human error accounts for over 80% of cybersecurity incidents.
In Canada, the theme this year is stepping up your cyber fitness. So, let's get back into shape with these weekly security workouts for the month of October.
Week one: Learn about common threats
When you begin a workout, you start by warming up. So, for week one, we'll focus on reviewing the common cybersecurity threats faced by businesses.
Ransomware
In 2021, 37% of all businesses and organizations were targeted by ransomware, a type of malicious software designed to block access to a computer or network until a certain sum of money is paid. Attackers try to infect companies' internal systems with ransomware and demand payment to regain access to their data.
The worst part? Paying the ransom hackers ask for doesn't ensure that you'll receive access to your files—or guarantee that they won't attack you again. Research shows that 80% of organizations that paid experienced a subsequent attack.
We recently covered everything small businesses need to know about ransomware, which you can review for more in-depth guidance. We'll also provide some more detailed tips to thwart ransomware attacks later.
Business email compromise
Business email compromise is another growing attack vector worth familiarizing yourself with. It's often highly targeted and typically involves a malicious actor impersonating a high-ranking company official or client to get an employee to transfer funds or sensitive data.
There are a few ways to defend against these attacks, the most common of which is using multi-factor authentication (MFA). MFA requires a user to provide more than one type of authentication to access an account or resource. It takes user authentication to the next level, making it easy and convenient for authorized users to access an account but very difficult (ideally impossible) for anyone else to.
Another option is implementing an integrated suspicious email analysis service (SEAS). Offered as part of Covalence, our cybersecurity solution, SEAS allows users to send suspicious emails directly to our expert analysts to confirm (or deny!) their legitimacy.
Phishing attacks
Finally, we have phishing attacks. These also often occur via email but tend to be large-scale scams rather than highly targeted. Hackers send emails to employees with malicious files attached to them, disguised as normal documents, or malicious hyperlinks.
If the employee clicks on the link, they'll be taken to a fake login page where their username and password could be compromised. They might also be asked to download a file, which could infect their computer and potentially compromise their company's entire network.
You should also be aware of spear phishing attacks. These use the same type of approach, but they're more targeted and sophisticated than a standard phishing attack.
Week two: Account workout
If week one is about learning, week two of Cybersecurity Awareness Month is about taking action. Here are some quick tips to keep your accounts more secure.
Enable MFA
If you haven't enabled multi-factor authentication yet, now is the perfect time. As mentioned earlier, MFA employs another security check besides simply entering a password to log into an account.
Since 2019, Microsoft has claimed that MFA can block over 99.9 percent of account compromise attacks. While they don’t expand on exactly which types of MFA are considered in the claim, Google published some more specific statistics on the effectiveness of device-based MFA in a blog, proving that these methods can be extremely effective at preventing even sophisticated and targeted attacks.
Practice good password hygiene
Let's also take a minute to strengthen your passwords and make it exponentially more difficult for an attacker to breach your accounts through brute force.
Here are some tips:
- Focus on length and complexity: Longer passwords take more computing power to break. A password that's at least 16 characters long, combining upper and lowercase letters, numbers, and symbols, can significantly boost your account's security.
- Don't use the same password twice: If someone guesses one of your passwords, you don't want them to be able to breach all of your secure accounts.
- Never store passwords in your browser: If you store your passwords in your browser, a hacker only needs to gain access to that browser to breach your most important accounts. Using a secure password manager is your safest bet.
Week three: Self-defense
In week three, we're training in self-defense. Here are three ways to improve yours.
Virtual private networks
Virtual private networks (VPNs) are becoming more common in the workplace as employees increasingly work from home and need to connect to secure internal systems.
But VPNs can also be an attack vector for malicious actors. As with any exposed service, VPN use should be strictly controlled to prevent unauthorized access. We offer some suggestions for securing your VPN here.
Network visibility
Network visibility is the practice of making sure you're aware of everything moving through your company's internal networks. When you have visibility, it becomes much easier to spot malicious actors quickly when there's a breach, which could help you avoid significant damages.
The key to network visibility is reliable data collection. You need tools that show you what's going on in your network and provide contextual, easy-to-understand alerts when unusual events occur. That way, you can take action quickly to thwart any threats.
Network visibility is extremely important, but it can be tough to do on your own, given the complexity of constant data collection and analyses. You may want to research expert-assisted threat analysis services to help you with this.
Cybersecurity solutions
Now is also a good time to start thinking more seriously about dedicated cybersecurity solutions for your business. This can involve network visibility, threat monitoring, and protection against other threats your business faces. Some of the most popular solutions are:
- Managed detection and response (MDR)
- Extended detection and response (XDR)
- Endpoint detection and response (EDR)
We cover the details of these solutions in another post.
Week four: Muscle maintenance
By week four, you've hopefully taken the time to research your top threats and take action to protect against them. Now, you're in the security maintenance phase. Here are some tips.
Password managers
Many people have trouble remembering complex passwords, leading them to choose simpler passwords that are easier to recall—and easier for others to guess. One way to avoid this is to use a password manager.
Password managers store your username and passwords for all of your accounts. You can make your passwords as complex as they need to be to remain secure without memorizing all of them.
However, you still need to implement strong security practices while using a password manager. This technology is generally safe from hackers thanks to strong encryption. But hacks are still possible, as evidenced by the 2023 breach of LastPass, one of the most popular services in this market. You can protect your passwords further by enabling multifactor authentication and keeping your software up to date.
The importance of patching
It's also important to continue patching your software when new updates are available. These updates are often issued to close security vulnerabilities. The longer you wait to update critical software, the more at risk you may be from malicious actors.
For example, Apple recently released an emergency patch to address two zero-day vulnerabilities in operating systems for iPhones, iPads, MacBooks, and Watch devices. The vulnerabilities had been exploited to distribute Pegasus malware but have since been resolved thanks to the patch. Users who haven't downloaded the patch yet risk having their devices infected with malware.
Making space for data backups
Finally, you should back up critical data regularly. Data backups ensure you have another way to access important information, even if your main database is breached, erased, or the subject of a ransomware attack.
Just make sure to store your data backups in an independent location to ensure they aren't vulnerable to the same attacks.
Week five: Strength in numbers
Finally, we want to close with the importance of working in numbers as you celebrate Cybersecurity Awareness Month.
If even just a few employees follow the strategies outlined in this article, you can boost your cybersecurity. But true security is a group effort. Cybercriminals can target anyone, and everyone needs to practice good security habits for the strategies we've outlined to achieve their full effects.
That could mean educating and training the employees in your company by sharing security resources like this article. You may also need to create and enforce security-minded policies, like requiring employees to use MFA with their passwords whenever possible and installing updates for critical software as soon as they are available.
Get your cybersecurity starter kit
Cybersecurity Awareness Month is the perfect opportunity to get serious about securing your company's most precious data, networks, and accounts. But there's no reason you need to do all the work alone.
Our free Cybersecurity Starter Kit is the perfect way to get started. It features a handpicked collection of our top resources designed for businesses looking to strengthen their defenses.
So why wait? Download your free copy today.
