Since October is National Cybersecurity Awareness Month, let’s take a look at some of the security measures that are still often overlooked. As we mentioned in our previous post, the theme for this year is “Own IT. Secure IT. Protect IT.” The measures below fall under the category of “Secure IT.” They’re basic, but even if you have them in place, you need to revisit them regularly. After all, what happens when you hire new employees who aren’t up to speed with your cybersecurity culture, emphasis, and measures? A chain is only as strong as its weakest link, and your “employee firewall” is only as strong as your newest or least-informed employee.
Shake Up Your Passphrase Protocol
Longer passwords are stronger than shorter ones. Passwords that don’t consist of recognizable words are better. Those that include symbols and numbers as well as characters are better still. But even then, employees will opt toward simpler schemes, such as putting their birth year at the end, or substituting a $ for an S or @ for a. Simple variants like these are easy to guess. We recommend passphrases instead. They’re longer and allow for more variation. Tell your employees to think of a phrase that would be hard to guess — even by people who know them. For even greater strength, add punctuation, use both upper and lower case, and capitalize some words. Passphrases also allow for spaces, meaning you can string together a sentence and incorporate punctuation and capital letters more naturally.
For example, the passphrase “The 4 Dragons Fly at Midnight!” includes punctuation, capital and lowercase letters, and spaces: complex, but easy for you to remember. If you’re using a website or service that doesn’t allow passphrases of this length, the above phrase could be shortened to “T4DFaM!” It’s still complex, but knowing the phrase it came from makes it easier to remember.
Regardless of password strength, don’t re-use passwords across multiple sites. Many compromises have happened because credentials to one site were stolen, and the criminals used the same usernames and passwords to log in to other sites. If your employees use the same passwords for social sites as for your corporate login, someone else’s breach can easily become your own. Criminals can masquerade as your employee and walk right in, no matter how tight your security. Encourage the use of a password manager and vault, such as LastPass or 1Password.
Double Your Login Protection
To protect against stolen passwords or easy-to-guess credentials, turn on multi-factor authentication. It’s not necessary for logins from corporate desktops on the wired network, but is essential for securing remote access, or logins from new devices or locations that an employee hasn’t used before.
Play Hard-to-Get with Strangers
National Cybersecurity Awareness Month is a great opportunity to educate and remind employees to be vigilant against phishing schemes. Phishing emails that masquerade as emails from banking or other financial sites have been around for years, and look like the real thing. More recently, criminals have become adept at ‘spear phishing’ schemes, where they target individual employees by pretending to be a boss, co-worker, or other business associate. They use the appearance of trust to get the target to give up corporate assets, or even to wire money to a criminal-controlled bank account.
SOCBOX partners with several companies that offer cybersecurity awareness training for employees on phishing and other security issues. We also can conduct customized, controlled phishing tests so you can see how vulnerable your company might be to phishing without actually endangering your business. If any of your employees fall for the phish, we’ll explain what happened so they can learn by experience. In addition, SOCBOX offers custom Cyber Education Workshops, which are tailored to your business and conducted at your location. To learn more about our services, email us or call 877-284-7789.