Basic behaviours to keep cyber safe

Andy Bates at Node4 outlines the four key cyber security behaviours to make a habit this Cyber Security Awareness Month

 

October of 2022 marks the 19th Cyber Security Awareness Month – a campaign designed to raise awareness of the importance of strong security and data protection measures for all businesses.

 

Arguably, this year, we need it more than ever. We have seen the weaponisation of cyber bring the potentially devastating impact of cyber attacks to everyday life in ways we haven’t previously witnessed. Simultaneously, and perhaps consequently, such threats reached an all time high with the world experiencing a peak of 1,200 attacks per week per organisation on average.

 

This Cyber Security Awareness Month, CISA and NCA have highlighted four key behaviours that all organisations should practice to bolster their defences and avoid falling into the traps laid by cyber criminals. Let’s go through them one at a time.

 

1. Enable multi-factor authentication

Enabling multi-factor authentication is a crucial step in securing data and blocking unauthorised access to systems. It is super effective, yet so easy to implement as it is available on many platforms. Although most organisations do now enforce some form of authentication measures, too many still rely on single layers of authentication.

 

Multi-factor authentication steps can be intrusive, like texting a code to your phone which, although highly effective and recommended, can put individuals off from enabling it. It’s worth considering less intrusive options, such as facial recognition and fingerprint scanning. While not so widely used, other more technical - and even more discreet authentication methods like biometrics - are also increasingly being adopted.

 

It is possible for multi-factor authentication to keep you safe without you even realising it, let alone interrupting your day. The "conventional” authentication methods can be utilised when you are in a more risky situation, or something unusual is flagged, but day-to-day much more can be done to improve access control without intruding on individual working activities.

 

2. Use strong passwords and a password manager

Even with multi-factor authentication and other access controls in place, having a good base password is important. It is your first and last line of defence.

 

There is much debate on how to get a good password – a mixture of upper and lowercase letters, mixed with numbers or special characters, using three words or a memorable phrase. At the end of the day, the longer the password is, the better. It takes seconds to crack a 6 letter lower case password but 10 years for an 11 character password.

 

3. Update software

In the corporate world, we all accept that software updates are an essential part of security and business operations in general. But few remember to include their mobile fleets as part of the checklist to be regularly updated.

 

Post-COVID work habits have led to organisations having a blend of corporate machines, BYOD, contractors with their own machines, and staff using personal mobiles for work purposes. All of these need to be updated to the latest version of the software to ensure any bugs remain patched and security settings are current.

 

Helping your users and customers to get into the habit of updating their devices when prompted will keep them and the organisation as a whole safer.

 

There is also the matter of Cyber Essentials – a UK government scheme to get every business to a good level of cyber security. One of the main criteria for the Cyber Essentials certification is up-to-date software. When working with the UK government it is essential to meet this criterion, but it is good pragmatic security advice for all organisations and people to follow - not just those with government contracts!

 

4. Recognise and report phishing

When the internet was first created, it intended to simply connect universities to each other - it was never designed to be used by billions of people, and certainly conversations about cyber security and phishing traps were never had.

 

Yet, now it is a huge concern with cyber attacks becoming more frequent and severe as cyber criminals are getting smarter and more sophisticated. They can now impersonate you without even hacking into your system.

 

We are all trained (subliminally or actively) to spot a fake email address – when a 0 (zero) is used instead of the letter O, for example. But if a message came from a proper email address, you are much more likely to believe it and fall into their trap. There are, however, solutions which can help with this.

 

DMARC (“Domain-based Message Authentication, Reporting and Conformance”) is a standard email authentication method that helps mail administrators prevent hackers and other attackers from spoofing their organisation and domain. Everyone should have this turned on.

 

The other recommendation is to implement a PDNS (Protective Domain Name Service) solution. Bringing together cyber threat intelligence from a variety of sources to form a list of sites with known malicious content, the programme will prevent you from clicking on any malicious links by blocking access to those sites. DMARC and PDNS are proven solutions to help users.

 

It starts at home

Dedicating time and effort into implementing each of these four behaviours will put your organisation in the best position to defend off any unwanted access or more forceful attacks. Yet, everyone within an organisation is responsible for upholding best cyber security practices. It only takes one click of the wrong link to bring everything tumbling down.

 

Technology is a vital aid in keeping your organisation secure, but employee education and involvement is the most effective way to build defences. Organising regular training sessions and ensuring business-wide visibility of new security policies and updates will allow everyone in the organisation to be a cyber soldier.

 

And, what better time than Cyber Security Awareness Month to remind your employees of the important part that they play?

 

---

 

Andy Bates is Practice Director - Security at Node4

 

Main image courtesy of iStockPhoto.com