October Is National Cybersecurity Awareness Month: Here Are 4 Ways to Protect Your Business

This October marks the 19th Cybersecurity Awareness Month, an occasion for governmental and private agencies to unite and promote cybersecurity best protection practices and awareness. Every year follows a theme set by the Cybersecurity & Infrastructure Security Agency (CISA).

This year’s theme is “See Yourself in Cyber,” which aims to raise awareness around how people are impacted by and affect cybersecurity.

People play a significant role in cybersecurity efforts. Even if your company has the newest and most prominent cybersecurity systems in place, if the people who work within your organization don’t follow basic best practices, they could leave the door open for cybercriminals to access your information.

With the annual cost of cybercrime projected to hit $10.5 trillion by 2025, businesses must be aware of how people impact cybersecurity and take the steps necessary to protect their employees and organization.

CISA’s 4 Cybersecurity Essentials

The people in your organization can make or break your security efforts. Even with the best cybersecurity software on the market, if your employees ignore best practices, they could inadvertently open a back door into your critical systems, resulting in millions of unexpected losses.

To protect your business this month and into the future, ensure your employees follow CISA’s four cybersecurity best practices.

Enable Multi-Factor Authentication

In the past, it was standard practice for people to create a short, easy-to-remember username and password to secure their devices and accounts. Unfortunately, because these passwords were easy to guess, hackers used them to gain access to critical data, personal information and unsecured web applications, publicly exposing hundreds of millions of real-world passwords. Attackers used these weaknesses to take over countless user accounts, leading security researchers to develop multi-factor authentication (MFA).

MFA requires that a user provide two forms of information when authenticating their account. The two forms should come from at least two of the following three categories: something you know, something you have, or something you are.

For example, if you supplied a password (something you know) and a fingerprint (something you have), you would be authenticated. The most common first and second forms of authentication are passwords and one-time tokens/passwords (OTP). For example, when you attempt to login to your bank account and they text you a six-digit PIN that is only good for the next few minutes, you are authenticating using an OTP. Alternatively, you may use your smartphone’s password and an “authenticator” application to generate an OTP that is only good for the next 30 seconds.

MFA may also use a combination of biometrics, tokens and geolocation to verify a login request. For instance, instead of sending a one-time link to an email address, MFA may examine the user’s geolocation to ensure the request is not coming from an unfamiliar area or country. Then, it may send a popup to a user’s device, which requires a facial scan to open. By utilizing various factors to authenticate a user, MFA provides greater security to both businesses and individuals.

Use Strong Passwords

Weak or stolen passwords cause a significant portion of data breaches. Unfortunately, some reports have discovered that more than 53% of people do not change their password after a data breach, even if they know their password may have been compromised.

To keep your data and your employee’s personal information safe, implement a company-wide password policy. Encourage team members to use long, complex passwords with a combination of upper and lowercase letters, numerals and special characters. In addition, remind them to use a unique password for each new account or platform and to update passwords frequently. Because keeping track of dozens (or hundreds) of unique passwords can be tricky, consider installing a password manager.

Recognize and Report Phishing

Although phishing has always been a cause for concern, the recent rise in remote and hybrid work has opened the floodgates. Phishing has become more sophisticated than ever, with cybercriminals continually developing new and ingenious ways to trick people into falling for their scams.

According to Cofense’s Q3 2021 Phishing Review, “93% of modern breaches involve a phishing attack.” Cybercriminals are experts at playing on human fears and emotions to elicit bribes and account information. Without the proper training, your employees may be unaware of the warning signs and inadvertently fall prey to an incursion.

To avoid this, train employees to recognize common phishing tactics and encourage them to report possible breaches as soon as they occur.

Update Your Software

One of the most effective ways to maintain security is by keeping all systems and devices updated with relevant patches and current versions of software. The technology companies you work with, from Apple and Microsoft to NetSuite and Google, want to keep your information safe from hackers. These companies pour billions of dollars into cybersecurity measures every year and employ teams of security professionals to keep track of and combat digital threats.

Keeping your software and devices updated with the most current software versions allows you to take advantage of built-in security measures and ensure data is protected from the most pressing threats.

Following Cybersecurity Best Protection Practices

As CISA points out, cybersecurity is “really all about people.” For your cybersecurity efforts to be effective, employees must follow best practices, including the basics.

To ensure employees follow best practices, focus on education, communication, and monitoring:

  • Education: Create a culture within your company that prioritizes security and ongoing education. For instance, instead of having one day per year when employees must sit through boring lectures and video sessions, involve them in regular training sessions and cybersecurity briefs. Remember, making these sessions fun and interactive gives you a better chance of gaining employee buy-in.
  • Communication: Foster an environment of open and honest communication. Employees must report phishing attempts when they encounter them, especially if they accidentally fall for one. Employees must feel comfortable reporting these instances to their managers and know they will not get in trouble for being honest. Otherwise, they may hide the attack and open the door for further harm.
  • Monitoring: Keeping an eye on all of your employees to ensure they are following best practices and keeping systems up to date is a challenge. A managed services partner can help you monitor systems from afar and alert you when something is amiss so that internal teams can focus on more strategic matters.

Although October is Cybersecurity Awareness Month, protecting your assets and following best practices should be top of mind all year. Even basic procedures like utilizing MFA and keeping systems updated can go a long way to protecting your organization.

If you are unsure where to start, or are curious about your company’s level of security, consider reaching out to a certified cybersecurity managed services partner like Sikich. A partner can help you understand ongoing security risks and help you design a robust cybersecurity plan to protect your business. Contact our team of experts to learn more.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author