Cybersecurity Awareness Month: 8 Tips for Businesses
This post was originally published at https://invenioit.com/security/cybersecurity-awareness/
October is National Cybersecurity Awareness Month, which means now is the perfect time to make sure your business is protected against the latest threats.
43% of cyberattacks are targeted to small businesses, according to Verizon's 2019 Data Breach Investigations Report. And those numbers are on the rise. Business detections of malware jumped 79% since last year, according to Malwarebytes, largely due to an increase in backdoor malware, miners, spyware and data stealers. And if you aren't sure what those terms mean, then this is the perfect opportunity to educate yourself (and your staff).
What is Cybersecurity Awareness Month?
National Cybersecurity Awareness Month is a joint effort between the business community and federal government agencies in the United States. It's held every October to help raise awareness of the importance of cybersecurity.
The U.S. Department of Homeland Security (DHS), which helps spearhead the initiative each year, says the month-long event aims to "ensure that all Americans have the resources they need to be safer and more secure online."
History
National Cybersecurity Awareness Month was first launched in 2004 by DHS and the National Cyber Security Alliance (NCSA). The initiative was originally designed as a "broad effort" to help all Internet users stay safe when using the Web.
The Internet landscape in 2004 was arguably much different than it is now. (For perspective, Google was only a few years old, and Facebook was still being run from Mark Zuckerberg's dorm room.) However, some of the most common threats from that period still remain dangerous today.
In 2004, officials thought of Cybersecurity Awareness Month as a cybersecurity-focused version of fire awareness efforts. After all, Daylight Savings Time reminds you to change the batteries in your smoke alarm once a year. So, Cybersecurity Awareness Month was meant to remind you to do things like "update your antivirus software twice a year." (Gasp!)
For consumers and businesses
When it was launched, National Cybersecurity Awareness Month was principally directed to consumers and home PC users. But over time, a wide range of commercial businesses became involved as well.
Businesses saw the importance of making customers and employees aware of dangerous cybersecurity risks. Workplace cybersecurity initiatives and consumer-focused efforts help to spread awareness and boost the bottom line as well. (Cyberattacks on employees or customers can be extremely costly for businesses.)
Objectives and areas of focus
The current goal of Cybersecurity Awareness Month is to "emphasize personal accountability and stress the importance of taking proactive steps to enhance cybersecurity at home and in the workplace."
Collaborating agencies divided this year's awareness into three core categories under its tagline, "Own It. Secure It. Protect It."
Own It
· Travel security tips
· Online privacy
· Social media
· Internet of Things
Secure It
· Password best practices
· Multi-factor authentication
· Workplace security
· Phishing awareness
· E-commerce security
Protect It
· Social media bot awareness
· Disinformation campaigns
· Common scams and theft
· Best practices for digital home products
What should businesses do for Cybersecurity Awareness Month?
For workplaces, cybersecurity awareness should not be limited to one month a year. Rather, it should be integrated into a year-round program consisting of training, reminders and safe web/email practices for all personnel.
Even better, some businesses may want to incorporate cybersecurity prevention into their business continuity and disaster recovery planning.
That said, the month of October can be used to add an extra layer of awareness for businesses. As mentioned above, programs can be targeted to two audiences:
· Employees: Awareness of the latest cybersecurity risks that threaten the business, along with actionable tips for how personnel can help prevent attacks.
· Customers: Tips for securely using the company's website, online ordering, etc., as well as information on how to identify phishing emails vs. legitimate company communications.
Using this year's theme of "Own It. Secure It. Protect It" as a guide, organizations can narrow the focus of their October awareness programs to specific areas of risk. Similarly, businesses that currently lack the cybersecurity measures listed in the DHS's guidelines can use the tips as a framework for future implementations.
Strong cybersecurity typically requires equal cooperation from IT administrators and end users. Here are some tips to make those efforts more successful this month (and beyond).
1) Update all devices and software
Unpatched software is a cyberattack waiting to happen. When applications and operating systems aren't updated, hackers can exploit known vulnerabilities to gain access to data and even take control of the device.
Implement IT policies that ensure your software, anti-malware applications and operating systems are updated automatically. Or, consider using a centralized patch management system to streamline this process across all end points. If, for some reason, updates must be manually added by end users, then there must be a program in place to ensure employees actually do this.
2) Protect on-the-go devices
Today's workforce increasingly works remotely or on the go. Laptops, tablets and smartphones are just as integral to productivity as traditional desktop workstations. But unfortunately, the mobile devices are often an afterthought when it comes to cybersecurity.
Make sure all devices have security protection, regardless of what network they're on. Implement strict IT policies that prevent unauthorized devices (such as employees' personal devices) from being connected to the company network or being used for an employee's day-to-day job responsibilities.
3) Back up everything
Data backups are the bedrock of business continuity planning, as well as cybersecurity defense. When files are lost or compromised by ransomware and other threats, often the only solution is restoring a backup.
End users typically have little control over this, so it's imperative that IT departments implement a dependable disaster recovery solution that protects all data on every device. Users can do their part by ensuring that data is always stored within protected network directories, rather than their unprotected personal folders.
4) Enable multi-factor authentication
Multi-factor authentication (MFA) is becoming a must for accessing any platforms away from the company network. That includes company email, SaaS applications, payroll systems and so on.
MFA requires a user to confirm their identity via a secondary authentication process. For example, if a user logs into G Suite on a desktop, they can be required to confirm the login attempt on their smartphone app. This significantly reduces the risk of hackers being able to break into a user's account, even if the culprit has the correct login information.
Implement MFA whenever possible on systems that are accessed externally by employees.
5) Enforce stronger passwords
Weak passwords are no match for hackers' brute-force applications, which break through logins by guessing thousands of combinations within minutes.
Whenever possible, require users to create longer, more complex passphrases for all company logins. Passwords should incorporate a variety of characters and should not be duplicated across any other platform. Additionally, IT can help reduce the risk of brute-force hacks by limiting the number of failed login attempts before accounts are locked.
6) Prevent successful phishing scams
Phishing scams are a common entry point for hackers to gain access to company networks and applications. From there, they can deploy ransomware or numerous other forms of malware, such as spyware, cryptojackers, banking Trojans and more.
Educating employees on how to identify a phishing scam can go a long way to preventing them from being duped. Users should know the common signs of suspicious emails and what to do with them. Avoiding email attachments and hyperlinks from unknown senders is a critical point that should be stressed frequently. (Cybersecurity Awareness Month is the perfect time to remind them.)
7) Reduce e-commerce hacks
Hackers use e-skimming and other malware to steal your customers' credit card information when they make a purchase from your website. In many cases, the malicious code is inserted due to vulnerabilities on the business end, such as weak administrator passwords, phishing scams or inadequate website security.
Businesses should proactively monitor all online transactions for signs of fraud and implement stronger cybersecurity to eliminate vulnerabilities. Customers should also be reminded of safe practices for shopping online and warned against common e-commerce scams.
8) Direct customers to helpful cybersecurity resources
Businesses don't have to spend months building their own cybersecurity toolkits for customers and employees. If you have limited resources for these efforts, simply direct customers to the wealth of information that's already available.
The Department of Homeland Security has already done the work for you. A plethora of tips, worksheets, posters, web banners and other digital creative make it easy to distribute this information to any channel. There are also government-run training events, both virtual and in-person across the country, which can provide additional education. These programs are especially useful for smaller businesses that don't have resources to conduct their own in-house training.
What happens after October?
Remember: the end of Cybersecurity Awareness Month does not mean that your cybersecurity initiatives should suddenly come to a halt on November 1. Cybercriminals around the world are constantly looking for new ways to compromise your systems, which means businesses need to be constantly vigilant.
Companies of all sizes should implement a year-long program that incorporates not just enhancements to cybersecurity infrastructure, but also timely education to keep all users aware of the latest risks.