Blog | Oct. 9, 2023 | 8 min read Tips for Cybersecurity Awareness Month: Strong Passwords, Software Updates and More TwitterFacebookLinkedInEmailMessengerIn an era of ever-present cyber threats, having a cyber aware workforce and customer base is critical. 2023 marks the 20th year of Cybersecurity Awareness Month, a collaboration between the government and the private sector to raise awareness about digital security. The National Cybersecurity Alliance and Cybersecurity Infrastructure Agency (CISA) work together to create resources that inform and encourage organizations to talk to their employees about staying safe online and protecting themselves against malicious cyber actors. Ensure your customers, members, employees or colleagues stay updated with the latest cybersecurity trends and best practices. This blog unpacks key behaviors to increase your cybersecurity awareness and stay safe online. The Key to Your Account: How to Create a Strong Password Taking the time to develop an effective password strategy during Cybersecurity Awareness Month will benefit you year-round. In today’s digital world, passwords are often challenging, especially given the sheer amount of them the average consumer must keep up with. Although it seems everyone is continually looking for a password shortcut or workaround, complex, long passwords are critical to securing your account. Consider making your passwords at least 15 characters and creating more complex passwords by using a combination of uppercase letters, lowercase letters, numbers and symbols. Password crackers tend to favor symbols on number keys, so whenever possible, use a symbol that isn’t on the number key, such as a colon, semi-colon or comma, to further increase password strength. To maximize your digital security, use unique passwords and change your passwords at least twice a year for your most sensitive accounts. When developing passwords for different accounts, here are a few password strategies to consider: Building a Seed-Based Password One approach for creating passwords is building a seed password and adapting it for each account. The seed could be a form of your birthday, such as Au71985! or it could include the year you set the password, e.g., 2023Yay! The key is to build uniqueness around the seed. You could also build uniqueness around the password’s purpose, like using <Amzn> for your Amazon account or [1NBRocks!] for your account at First National Bank. You can also add a reminder of when the password was set to the seed password, such as SEP|23 or 20.09.23 for September 2023. Your final password for the example above would be Au71985!<Amzn>SEP|23. The key is to make the beginning and the end something you can remember based on the application, and it would also change each time you change the password. Creating a Passphrase Another approach when creating passwords is to use a passphrase or short sentence such as ‘I like sunny days!7’. The symbol and number at the end add to the complexity. To create a passphrase, you can also use the first letter of each word in the lyrics of a song. For example, “Is this the real life? Is this just fantasy?” would become 1ttrl? 1tjf?. In this example, the number one used as the letter “I” increases complexity. Take the time to develop an effective password strategy to stay safe online. Secure Your Credentials with a Password Manager Leveraging a password manager also helps mitigate your risk of unauthorized account access. These computer programs or applications allow you to securely store and manage your passwords for online accounts. Password managers can also track if you’re reusing the same passwords across accounts or if one of your passwords is involved in a known data breach. For financial institutions and other organizations that deal with sensitive information, it’s critical to conduct due diligence on any software or application before implementation, including your password manager. If you’re thinking of using a password manager for your personal accounts, here are some questions to consider: What’s the reputation of the password manager? How long has the password manager been around? Have they had a major data breach? Do they have access to your passwords? How is your data being encrypted? Answering these questions before choosing a password manager can help you determine a good fit. When developing your password creation and management strategy, the best path is to find a password scheme that works for you and leverage a trusted password manager that meets your needs. Why Use Multi-Factor Authentication? Since today’s consumers have multiple online accounts to keep up with, it’s no surprise multi-factor authentication (MFA) is one of the four key behaviors for Cybersecurity Awareness Month. MFA shouldn’t be considered optional on critical accounts, as it significantly reduces your risk of account takeover and strengthens security. According to the National Cybersecurity Alliance 2022 research report, 43% of their survey participants had never heard of MFA—an alarming statistic considering the MFA’s security advantages. MFA requires an additional piece of information when logging into an account. One-time codes sent via text message or email are a common option and can be used if there is no alternative, but a password authentication application is a better choice. Google, Microsoft and others have authentication applications that cater to this purpose. While activating MFA adds an extra step to access your account, it could make the difference between a minor headache and a major setback. If you avoided setting up MFA on your bank account because of the added friction when logging in, and your account is breached which results in stolen funds or a stolen identity, you’re likely going to wish you had taken the time to setup that security protection. Mitigating Vulnerabilities by Updating Software Before discussing the need to ensure your updated software, let’s first discuss the importance of regularly reviewing the software on your devices. Take inventory of any software installed on your devices and uninstall any that you don’t need. Limiting the amount of software on a device to only what’s necessary mitigates your risk of vulnerabilities. After all, hackers can’t compromise something that’s not there. Further, institutions should consider whitelisting applications, meaning that employees can only install already approved software, or they must obtain special approval. As tempting as it is to hit the “update later” button, don’t wait when prompted to activate a security update. Bad actors regularly seek out and exploit vulnerabilities, and many software updates contain bug fixes. When you do complete a software update, be sure to confirm that the old version was uninstalled. Old software applications often leave artifacts on a system even after an update is completed, which means the vulnerabilities could still exist. It’s also wise to review updates before installing them to ensure their criticality. Sometimes, an update may not be for an urgent security vulnerability and might be for a functionality update for a feature you don’t use. That would not need to be treated with the same level of urgency as a security update. Additionally, make sure you’re giving your software only the needed permission levels. For example, if you install an app on your iPhone that doesn’t require camera or microphone use, do permit it to use them. As you regularly review your software, look for any unsupported software on your device. Sometimes software owners disappear and stop issuing updates. This could mean that their software is vulnerable or could become vulnerable in the future. Be sure to regularly take inventory of any software on your devices and uninstall any that you don’t need. How to Recognize and Report Phishing Modern phishing schemes are often difficult to immediately detect. The best general rule for phishing detection is to trust your gut. If something feels off, it probably is. If you receive an unexpected message that prompts you to urgently log in or open an encrypted document, exercise caution. Validate the message with the sender either over the phone or in person—do not simply reply to the email. While good phishing tools will catch suspicious emails, encrypted documents often bypass these tools. Cyber criminals increasingly use encrypted documents to carry out phishing schemes since they seem official and secure. So, it’s imperative to be cautious. To make their messages seem even more legitimate, fraudsters are also using AI to write their phishing emails. The best defense against phishing and other social engineering schemes is vigilance. Always be on the lookout for red flags and question anything unusual. Even the most hyper-vigilant among us could still let our guard down and click the wrong link, so it’s important to have multiple layers of defense in place. That’s where controls like MFA or cybersecurity monitoring become paramount. If you think you’re a victim of phishing, contact your IT department. What’s the Difference between Spam and Phishing? While spam and phishing could be connected, a cybersecurity-savvy user should know the difference between them. Spam is an unsolicited message often sent to a bulk mailing list that contains an advertisement. This can also be known as junk mail. While annoying, spam does not always have malicious intent, but it can. Spam is also easier to identify than phishing due to generic greetings, typos or unrealistic offers. Phishing entails an email or other message from a fraudster that appears to be from a legitimate source seeking personal information. In other words, fraudsters drop a hook in the water in the form of a seemingly legitimate email containing an urgent call to action and hope that someone bites. Prioritizing Your Cybersecurity Awareness Though Cybersecurity Awareness Month is only designated for October, it pays off to be cyber aware all year long. Familiarizing yourself and others with the behaviors discussed in this blog will improve your approach to cybersecurity and mitigate your risk of becoming a victim. To learn more about strengthening your institution’s cybersecurity posture, download our white paper. GET YOUR COPY Steve Sanders serves as CSI’s chief risk officer and chief information security officer. In his role, Steve leads enterprise risk management and other key components of CSI’s corporate compliance program, including privacy and business continuity. He also oversees threat and vulnerability management as well as information security strategy and awareness programs. With more than 15 years of experience focused on cybersecurity, information security and privacy, he employs his strong background in audit, information security and IT security to help board members and senior management gain a command of cyber risk oversight.