October is a time for spooky stories and costumes. While your business is planning your Halloween staff party and decorating your workplace, don't forget the real-life scariness of cyber threats! October is also Cybersecurity Awareness Month, when we work together to defend our businesses against hackers. No need to be afraid: by celebrating Cybersecurity Awareness Month, we can unmask cybercriminals and enjoy treats rather than tricks!
What is Cybersecurity Awareness Month?
Founded by the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA), Cybersecurity Awareness Month is dedicated to fighting cyber threats. Every year, the DHS and NCSA team up to teach Americans how to defend themselves. As cybercriminals are constantly getting more creative in our ever more digital world, there is always something new to learn. Staying up-to-date on cybersecurity techniques and tools is crucial to staying safe.
Cybersecurity Awareness Month's theme for 2021 is #BeCyberSmart. While the DHS and NCSA are promoting general cybersecurity techniques for all Americans, it's worth noting that businesses are especially vulnerable. That's because cybercriminals like to target organizations for the user information and financial credentials they often store. And unfortunately, any breach or downtime can lead to liability issues and lost profits for businesses.
Cybersecurity in 2021
It's becoming more challenging to avoid cyber threats in 2021 because hackers are finding new ways to attack. Now that many users have anti-malware programs in place, cybercriminals use a combination of social engineering and spoofing. For example, they will pose as someone's coworker and send them an email with a malicious link. When the recipient clicks on it, they inadvertently download ransomware or a virus.
In other words, what seems like a treat really is a trick!
One of the scariest trends of 2021 is that ransomware is now cheaply available on the dark web. Ransomeware-as-a-Service (RaaS) platforms allow hackers to download the malware and customize it for their targets. Ransomware locks the victims' devices until they pay the ransom.
Ransomware can strike in two main ways. Ransomware-at-the-Source is designed to penetrate the operating system at the admin level. From there, it can present fake software updates, collect login credentials, and encrypt system files — effectively crippling the device and potentially granting access to other endpoints. This type of ransomware has devastating effects on businesses that require constant uptime and/or store sensitive information on their drives.
The other delivery method is a brute force attack, in which all users in a system (e.g. an employee roster) are subjected to bots that attempt to guess their passwords. If even one account is successfully accessed, hackers can then spoof that user's details to send convincing messages to their colleagues. In short, one single vulnerability can open dozens of doors to further attacks.
That's why it's so important to hit cybersecurity from both device- and network-level security and through user training. In 2021, we're focusing on being cyber smart, as even the best anti-malware programs are insufficient if an employee unwittingly hands over their credentials.
How to Celebrate Cybersecurity Awareness Month
In support of Cybersecurity Awareness Month, the White House issued a statement urging all Americans to "Do Your Part. Be Cyber Smart." When cybercriminals attack businesses and nonprofits, they attack those organizations' customers and clients as well. By the same token, any breach has the potential to enable other breaches. In other words, it will take everyone's efforts to defend ourselves against cyberthreats.
President Biden's statement includes the following three guidelines:
- "Limiting the amount of personal information shared online"
- "Regularly updating devices and software"
- "Using complex passwords and multifactor authentication methods"
While the White House's guidance is more geared toward individuals, businesses can and should develop their full-fledged cyber defense strategy based on these tenets. Specifically:
Train staff to be cautious with their personal information. Hackers who obtain enough details to guess their passwords or trick them into accessing a malicious site may gain access to their work account and business-sensitive information. Staff should also be wary of suspicious links, even if they appear to come from a trusted coworker
Keep all devices and programs used by your business up-to-date. Limit which apps your staff can use and schedule regular updates to fix security vulnerabilities. If your staff uses mobile devices for work, those phones or tablets should have endpoint security, including app restrictions and limited network access.
Require all staff and customers/clients to create strong passwords and use multi-factor authentication. Host training to teach employees good password hygiene, e.g. not sharing passwords, storing them safely, having unique passwords for each app, etc.
For help developing a robust cyber defense strategy this month, reach out to a cybersecurity consultancy such as Next I.T. Depending on your business's needs, you may implement anti-spoofing methods, endpoint security, app restrictions, multifactor authentication, and other crucial tools to defending your staff and customers against hackers.