Every October is Cybersecurity Awareness Month, and this year, the two organizations behind the international campaign — the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) — are highlighting four key action steps that everyone can take to better protect themselves against cyber threats.
In this post, we will discuss the four steps and why they’re essential, as well as provide some valuable tips that small and medium business owners can follow to make sure that their businesses and employees are protected.
Step #1 — Think Before You Click: Recognize and Report Phishing
Phishing is a type of cyberattack in which an attacker tries to trick someone into doing something that they shouldn’t, such as clicking on a malicious link or sharing their username and password. It is a huge threat to businesses because one small mistake by an employee could result in sensitive company and/or customer data falling into the wrong hands, the installation of malicious software onto company computers, and lots of other serious cybersecurity issues.
Phishing most commonly happens via email. Below are two real phishing email examples that were detected by Trend Micro — a global leader in cybersecurity — in September.
As you can see, the examples above look legitimate. However, there are some commons signs of phishing scams that employees can be trained to recognize, including:
- Threats or a sense of urgency — “Your account will be closed in 24 hours if you don’t click this button,” for example.
- A questionable email address — If an email claims to be from a certain company, but the email address domain doesn’t include the company’s name, it’s a huge red flag.
- Suspicious attachments — Cybercriminals will often attach files to emails that when opened will install malicious software.
- Strange requests — Out-of-the-blue emails that ask for payment and/or personal information are almost certainly phishing scams.
- Grammar and spelling errors.
In addition to ensuring that all employees know what to look out for when it comes to the common signs of phishing scams, security software should be installed on all company computers. Look for a product that comes with anti-phishing capabilities — most security software from well-known companies will include this.
If you or one of your employees receives a phishing email, forward it to the Anti-Phishing Working Group at firstname.lastname@example.org. Phishing scams can also be reported to the FTC at FTC.gov/complaint.
Step #2 — Update Your Software
Making sure that all company computers’ operating systems and apps are regularly updated to the latest software versions is essential because software updates will regularly include fixes for known security issues. The use of out-of-date software makes it exponentially easier for cybercriminals to exploit a computer/system.
The global WannaCry/WannaCrypt ransomware attacks in 2017 targeted Microsoft computers running out-of-date software that had a known vulnerability that had already been fixed by Microsoft. However, because many computers hadn’t been updated, cybercriminals were able to take advantage of the exploit and install ransomware on them that caused an estimated $4 billion in damages.
If your business employs only a very small number of employees, teach them about the importance of installing the latest software updates and remind them from time to time to check for new ones. However, if that wouldn’t be practical, consider hiring a person to take care of IT-related issues or give an existing, tech-savvy employee this responsibility.
Step #3 — Use Strong Passwords
Using password hacking software, a cybercriminal can crack a 10-character password made up of only numbers instantly, whereas a 14-character password made up of a mix of numbers, uppercase and lowercase letters, and symbols (@, %, &, etc.) would take 200 million years.
However, it’s difficult to remember complex passwords so it can be tough to resist the temptation to use suboptimal ones. If only there was an easy way to create strong, tough-to-hack, memorable passwords, right? Well, there is! You can create strong passwords from memorable song lyrics, poems, etc. using letters, numbers, and characters to represent words and/or letters.
For example, take the AC/DC lyric “It’s a long way to the top if you wanna rock ‘n’ roll.” This can be converted to a strong password like so: i@Lw2tTiUwr’n’r (it’s a long way to the top if you wanna rock ‘n’ r). As long as you can remember it, you can get as creative as you want, too. For instance, the dollar sign can be used to represent the letter “S” or the word “money” and parenthesis makes for a good, tough-to-guess substitute for the letter “O”.
You can check how strong your passwords are and how long it would take a hacker to crack them by clicking here.
You should also consider purchasing a password manager for your employees. Password managers can automatically generate and store secure passwords, allowing every employee to have unique, ultra-strong passwords for all their accounts — without the need to remember them all. Many password manager providers offer licenses specifically designed for small and medium businesses, too.
Step #4 — Enable Multi-Factor Authentication
Multi-factor authentication (MFA) — also called two-factor authentication (2FA) — adds an extra layer of protection to accounts by requiring users to provide two separate forms of information to log in.
Conventionally, users log in with a username and password (the password being the first form/factor of identification). However, MFA requires users to provide an additional factor to prove that they are who they say they are — such as a code sent to a trusted phone number. According to Google, MFA via SMS helps “block 100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks.”
There are several common authentication methods for MFA, including SMS verification, email verification, and authenticator apps. However, no matter which authentication method is used, the improvements to account security are tremendous.
It is strongly encouraged that you enable MFA on all your personal and business accounts and make it mandatory for employees to enable it on all their work accounts.
To learn more about Cybersecurity Awareness Month and how you can participate, click here.