Held every October, CISA’s National Cybersecurity Awareness Month (NCSAM) aims to educate organizations and individuals about the ever-changing field of cybersecurity and encourage proper security practices. In honor of this event, we rounded up six key tips from our network of experts to help you easily shore up your approach to cybersecurity:
1. Use a password manager and two-factor authentication (2FA)
By Wendy Nather, Head of Advisory CISOs, Duo Security
If you don’t already use a password manager, start using one now. If you can’t bring yourself to work with one, IT’S OKAY TO WRITE DOWN YOUR PASSWORDS. Just keep them on a piece of paper in your wallet, or keep them in a drawer at home. Really. The chances of someone breaking into your house these days to steal your passwords is infinitesimal.
Also, it’s always a good idea to make sure you have a trusted person in your life who knows how to access your passwords in case something happens to you, even temporarily. Who’s going to pay your bills while you’re in the hospital? A password manager can also help you with securely sharing passwords with the trusted person you designate.
2. Safeguard against social engineering attacks
By Chris Hadnagy, CEO, Social-Engineer, LLC and Innocent Lives Foundation
This year, we have seen an unprecedented level of social engineering attacks involving phishing, vishing and SMiShing. Although there is nothing you can do to be 100% hacker-proof (and don’t believe anyone who tells you that you can) there are two things you can do to make yourself NOT the low-hanging fruit:
- Use a password manager. These can help you remember and manage the hundreds of passwords you have. Just use a sentence or song lyric as your password and let the manager do the rest.
- Use 2FA on EVERYTHING. Try to steer away from email or SMS, but use Google Authenticator or DUO or another app to get your codes.
These two things can help you avoid many pitfalls. Now might also be a good time to train your employees about phishing attacks by running a simulated phishing campaign targeting them.
3. Update your apps and devices
By Jen Ellis, Vice President of Community and Public Affairs, Rapid7
You know those super annoying reminders to update your software on your laptop, PC, tablet, phone, or just about anything else? Yeah, turns out they are not just annoyingly distracting, they are also annoyingly important. I know the disruption of updating is a frustrating pfaff, but often the whole reason for the update is to address some security bug in the technology you are using. If you don’t suck up the temporary loss of availability, you could end up facing a much longer one, as these bugs provide attackers with the opportunity to potentially compromise your tech.
The longer it takes you to run the update, the greater the chance there is of an attacker exploiting the bug. You don’t necessarily have to drop everything immediately to run it, but it is sensible to do so in the next available window where your device will not be in direct use, say for example while you’re eating or sleeping. Where possible, it’s also sensible to set your apps and gadgets to “auto update,” meaning they will update themselves as soon as is convenient and necessary, taking the burden off you.
4. Take your IoT security seriously
By Deral Heiland, Principal Security Researcher IoT, Rapid7
Please take into consideration your privacy and safety when you’re planning to purchase any new IoT automation technology, such as cameras, smart doorbells, home security systems, kitchen appliances or even toys for the children. You should put in the same effort and thought into the purchase as you would when purchasing a car or even a child safety seat. Throughout your research, ask questions about product security, look at product reviews, engage the vendor, and even take the time to review the product user manual. This document is typically available online and often reveals a lot about a product. The key is to determine whether product security is a priority to the vendor. If not, you may want to go somewhere else.
5. Protect your phone number
By Fahmida Rashid, Senior Managing Editor, Decipher
The No. 1 piece of advice I offer is to protect your mobile phone number. We don't realize just how much of our identity is tied up with our phone number. Make sure your account with your mobile carrier is protected with a strong and long password and two-factor authentication, if offered. More importantly, add a PIN to your SIM card and ask the carrier to put extra security on your account. Make it very, very hard for someone to call and get your number assigned to a different SIM card. Once the number is swapped to a different SIM card, you will lose control of a significant portion of your life.
You can't make it impossible to be compromised, so a large part of personal security is making it hard to do so.
6. Make a disaster recovery plan
By Tod Beardsley, Director of Research, Rapid7
Since Wendy already nabbed password management (which is my No. 1 these days), I'll go with my No. 2: disaster recovery drilling! You can't possibly be good at anything with no practice, which I suspect is why a lot of people feel like they're "not good with computers." So, fix that by figuring out your disaster recovery plan when your main device gets accidentally dropped through a sewer grate.
The easiest way to simulate this is to hide your phone under your pillow and then ask yourself, "How do I recover my vacation photos, my contacts list, and get at my 2FA-protected email to reset my passwords?" If you answer yourself with, "I don't," it's probably time to figure out your backup plan.
"Two is one and one is none" is a hoary bit of military jargon that's useful in pretty much every situation, especially when it comes to backup plans for phones. Having a tested disaster recovery plan can be the difference between calming restoring your personal data to a new device and having to learn how to transfer bitcoin to a Belarusian mobster in the next 48 hours.
That’s a wrap! If you want to learn more about simple ways you can stay secure, check out more of our National Cybersecurity Awareness Month blogs.