The US Cybersecurity and Infrastructure Security Agency (CISA) is using Cybersecurity Awareness Month as an opportunity to reinforce the importance of best practices in cybersecurity. While the recommendations may not be groundbreaking, they serve as a helpful reminder for individuals and organizations to prioritize their security posture.
CISA is specifically focusing on four key behaviors: using strong passwords, implementing multifactor authentication, being aware of phishing attempts, and practicing regular software patching. These practices are all too often overlooked, despite their significance in mitigating cyber threats.
Andrew Hollister, CISO and VP Labs R&D at LogRhythm, emphasized the criticality of fortifying cybersecurity posture in an increasingly interconnected world. He highlighted the risks posed by escalating threats and vulnerabilities, which can have far-reaching consequences for sensitive data, financial stability, and even national security. In fact, a recent study found that 67% of respondents reported losing business deals due to customers’ lack of confidence in their security strategies.
The past decade has seen a significant shift towards digital technology, with data and user communities increasingly relying on cloud-based platforms. This shift has given rise to hybrid work patterns, especially in a post-pandemic world. Cybersecurity Awareness Month serves as a catalyst for action, urging organizations to strengthen their defenses, educate their teams, and invest in technology solutions to reduce overall risk. By doing so, they can collectively fortify their digital foundations and ensure a safer digital future.
The first recommended practice is the use of strong passwords. CISA advises using long, random, and unique passwords for each account and suggests utilizing a password manager to generate and store them securely. While strong passwords are necessary, they are not sufficient for effective security. Jeff Reich, Executive Director at IDSA, highlighted the need for a comprehensive approach that includes practices such as the Least Privilege principle, Multi-Factor Authentication (MFA), routine access reviews, and Zero Trust. Achieving effective security requires a thorough understanding of the environments in which organizations operate, the associated risks, and ways to mitigate them.
Darryl Jones, VP of Product (CIAM) at Ping Identity, underscored the significant threat posed by passwords, citing a 233% increase in U.S. data breaches exposing user credentials in 2022 compared to the previous year. While multifactor authentication is a step in the right direction, relying solely on password-based authentication is insufficient. Phishing, malware, and ransomware attacks are on the rise, and passwords are vulnerable to exploitation. Jones advocated for innovative authentication methods such as biometrics, passkeys, and face IDs with liveness checks to address these challenges.
The second recommended practice is the use of multifactor authentication (MFA). CISA emphasizes the importance of enabling MFA on all accounts that offer it, especially for critical accounts like email, social media, and financial accounts. Bala Kumar, Chief of Product at Jumio, noted that while MFA and knowledge-based authentication are commonly used verification tools, they are not secure enough on their own. With the advent of new technologies like generative AI, cybercriminals can develop more sophisticated attacks. Kumar emphasized the need for biometric-backed identity verification methods to efficiently protect customer and organizational data.
Recognizing and reporting phishing attempts is another essential practice. CISA advises individuals to exercise caution when encountering unsolicited emails, texts, or calls asking for personal information and to avoid clicking on links or opening attachments from unknown sources. Anurag Gurtu, Co-Founder & CPO at StrikeReady, emphasized the relentless and highly effective nature of phishing attacks. Organizations must invest in comprehensive cybersecurity training programs to educate employees on recognizing and reporting phishing emails. Additionally, advanced email security solutions can significantly reduce the risk associated with phishing attempts.
Phishing attacks have evolved into a pervasive and sophisticated threat. Patrick Harr, CEO of SlashNext, highlighted the detrimental impact of AI-enabled tools like ChatGPT, which have facilitated fast-moving cyber threats through email, mobile, and collaboration apps. Traditional security defenses that rely on threat feeds, URL rewriting, and block lists have become ineffective against these new tools. This, coupled with the increasing use of multiple devices for communication and collaboration, has exposed users and businesses to a greater risk of cyberattacks.
As Cybersecurity Awareness Month continues, it is crucial for individuals and organizations to prioritize and implement these recommended practices. By doing so, they can enhance their security posture, protect sensitive data, and ensure a safer digital future. Continuous education, investment in technology solutions, and a comprehensive approach to cybersecurity are essential in combating the evolving threat landscape.