This year marks the 20th anniversary of Cybersecurity Awareness Month. In recognition of the federal designation, we’re taking a closer look at cybersecurity recommendations from the Cybersecurity and Infrastructure Security Agency (CISA) and adding in a few of our own.
What can organizations do to better protect what they own?
Cybersecurity Awareness Month aims to raise awareness about the importance of cybersecurity across public and private sectors. This year, CISA announced a new program, Secure Our World, focused on the proactive measures individuals can take everyday to protect themselves from cyber threats. You can check out CISA’s overview of the program here.
In addition to recommendations for individuals, CISA has shared basic steps that businesses can take to protect themselves from online threats. These should sound familiar. If you’ve overlooked a few, or if it’s been a minute since you’ve given thought to how these measures are enforced, now is a great time to revisit.
1. Teach Employees to Avoid Phishing
Though one of the oldest hacks in the book, phishing has stuck around for a reason: it continues to work. That’s why educating employees on what phishing is and how to avoid is critical. CISA recommends that companies train employees on how to spot the basic signs of phishing, emphasize the risks of a successful attack, and reiterate this messaging often. For good measure, organizations can also reinforce employee training with test phishing campaigns.
Check out CISA’s blog on tips to avoid phishing.
2. Require Strong Passwords
That’s right, we’re still talking about the need for strong passwords in 2023. But as with phishing, it’s for good reason. Hackers continue to see success when weak passwords are all that stand in the way of system access. Do the passwords your organization requires meet CISA’s standards? According to CISA, passwords should be:
- At least 16 characters or longer
- Random (mixed-case letters, symbols, and numbers)
- Unique; used for only one account
Password managers should also be used to store and protect passwords, particularly when multiple employees need to access the same password for a shared tool. Password managers make it possible to share password information across the organization safely. Long gone should be the days of shared spreadsheets labeled “Passwords”.
3. Enforce Multifactor Authentication
Strong passwords are important, but CISA recommends that organizations also use Multifactor Authentication (MFA) to verify user identify. MFA tools typically send push alerts or text messages with unique codes that employees must then validate before login is complete. CISA advises that MFA be used throughout an organization as widely as possible, with particular focus on systems that are frequent targets of attacks, like email, file storage, and VPNs. Organizations can go a step further to protect themselves with Phishing Resistant MFA, which involves the use of an external security key to prove identity. You can learn more Phishing Resistant MFA here.
4. Update Business Software
Updating business software is another basic security hygiene practice that can get overlooked when employees don’t receive adequate training and security teams don’t follow up. Teams should enable automatic updates whenever possible, and regularly educate employees on the importance of software updates, particularly if employees are working remotely.
CISA also recommends that businesses make an inventory of authorized hardware and software to identify and remove any unsupported and unauthorized assets. Which leads us to a few tips of our own…
Other Considerations to Keep in Mind
5. Know What You Own
You can’t protect what you can’t see! Security teams that lack visibility into the entirety of their attack surface are at a disadvantage against threat actors. Research finds that nearly 7 in 10 companies have experienced at least one attack on unknown or unmanaged assets. External Attack Surface Management solutions can provide the automated, continuous visibility into the full attack surface (including unknown assets) that teams need to successfully monitor and manage what they own.
6. Remember: “Good Data” Isn’t Good Enough
Your security tools are only as effective as the internet intelligence that powers them. Many security teams overlook exposures and threats because they rely on disparate, inaccurate data streams that waste critical time with low quality data and false positives. If your security team frequently spends time sifting through false positives, or lacks a complete view of its threat landscape, consider if your internet intelligence is truly superior.
Superior internet intelligence is:
1.) Complete (as in, data is based on multi-perspective scanning with global coverage)
2.) Accurate (false positives and negatives are kept to a minimum)
3.) Contextualized (data is labeled and easy to filter)
Check out this blog post for more insight into how to assess your data.
You can find more information about Cybersecurity Awareness Month from CISA here.
Interested in learning how Censys can help support your cybersecurity strategy? Reach out to us!