To draw attention to this — and, ideally, action around it — the theme of this year’s Cybersecurity Awareness Month is “See Yourself in Cyber.” Hosted by the National Cybersecurity Alliance (NCI) and taking place through October, the event emphasizes four key practices: enabling multifactor authentication (MFA), using strong passwords and a password manager, updating software, and recognizing and reporting phishing.

The NCI notes that while awareness of online threats has increased rapidly over the past decade, most users “have not adopted any additional security practices to help protect themselves from cyber-attacks.” The month of October was chosen because it is National Cyber Security Awareness Month and because “every month is cybersecurity awareness month.” Still, there are reasons why what happens in October really does matter — and will matter even more after the month is over.

Phishing

The NCI notes that phishing “is one of the most common and effective methods for cyber criminals to gain access to personal information and steal confidential data.” The awareness of this threat, which originated from the anglicization of the term “fishing,” reflects well on what is going on in your company, or at least with those who work for you. In 2016, phishing occurred in 51 percent of breaches and was most frequent before midnight hours.

Every day, nearly 2 million users are victimized by hackers — 80 percent of them using social engineering techniques. For every 1 victimized user there are 28 infected users — according to a report by Cryptography Research.

In addition to the financial impact that phishing can have, it can also cause identity theft, a common occurrence with many of the phishing attacks. The Identity Theft Resource Center says that in 2016 there were more than 22 million victims of identity theft. Identity Theft 911 estimates that 60 percent of identity-theft victims report being a victim of email fraud; about half are victimized by phone calls; and about 15 percent by snail mail.

Phishing is one of the most common methods for cyber criminals to gain access to personal information and steal confidential data.

The best way to combat phishing is to use the right tools and strategies. But the NCI stresses that it is imperative to block all types of phishing attacks. This includes:

• Implementing MFA on all company-issued devices (phones, PCs, tablets and more) that are used for business purposes; and

• Creating strong passwords and utilizing a password manager.

Password/username reuse, in which users follow the same password or username for multiple logins, is a significant problem and represents a specific area of risk. In addition to being most prone to phishing attacks, reusing credentials also puts passwords at risk for brute force attacks. A recent Radware study found that over half of the organizations surveyed had experienced an authenticated, remote breach of corporate data networks linked (directly or indirectly) to password reuse. What’s more, this virtually always meant that an account intended for general-purpose use was breached — not a service account such as webmail.

The NCI’s suggestion to change passwords every 30 days or so is not sufficient. From Radware’s report:

• Password re-use: The average password should be changed every 72 hours. At least twice a year, change the password completely. If an employee uses a corporate account (such as webmail) for personal use, they should also have separate personal accounts with unique passwords.

• Password length: Passwords should be at least 14 characters long and contain a mix of upper and lower case letters, numbers and symbols.

• Password strength: Passwords should be random and not easily guessed. Password management applications must have a password strength meter to remind users to create different passwords for different accounts.

MFA is a more sophisticated form of security that ensures access to sensitive information is restricted only to those who are legally authorized as well as physically present. Not only does it reduce the risk of phishing via password reuse, but it also improves the overall security for your organization by limiting the potential impact of an attack on one account to just that account.

‍

Source: Beyond Cybersecurity Awareness Month: Achieving identity security all year long | VentureBeat