It’s October again, an important month on the cybersecurity calendar as the world marks Cybersecurity Awareness Month (CSAM).
While CSAM began as an initiative in the United States as a collaboration between the U.S. Department of Homeland Security and the National Cyber Security Alliance (NCSA), businesses and individuals from across the globe now eagerly participate to promote tips and advice for better cyber safety. Just have a look at NCSA’s website, which features an impressive list of CSAM champions (MailGuard included), or glance at social networks like Twitter, which contain a plethora of posts featuring cybersecurity tips related to this year’s theme: “Do Your Part. #BeCyberSmart.”
The ongoing energy and enthusiasm behind CSAM is encouraging. With the number and scale of cyber-attacks impacting businesses growing at an alarming rate, I applaud the initiative and I am proud to see MailGuard act as a champion of its message. We all see stories of the financial ruin, reputational damage and heartache caused by cybercrime in the news daily, so these initiatives are vital to inform and remind people of the importance of cybersecurity vigilance.
If 2020 brought major disruptions to our online & offline worlds, it also brought major changes to the cyberthreat landscape. The recently released Microsoft Digital Defense Report 2020 made “it clear that threat actors have rapidly increased in sophistication over the past year, using techniques that make them harder to spot and that threaten even the savviest targets.”
The acceleration of email-based cybercrime in the form of phishing & BEC attacks is a primary concern in the current climate, with the report stating that:
- Over 13B malicious and suspicious emails were blocked in the past year, out of which more than 1B were URLs set up for the explicit purpose of launching a phishing credential attack.
- In past years, cybercriminals focused on malware attacks. More recently, they have shifted their focus to phishing attacks (~70%) as a more direct means to achieve their goal of harvesting people’s credentials.
In another blog post, Andrew Conway, General Manager, Microsoft Security warned of a rise in email-based cybercrime exploiting the COVID-19 pandemic, stating that “Microsoft Threat Intelligence teams reported a spike in COVID-19 attacks in early March as cybercriminals applied pandemic themed lures to known scams and malware. Business leaders reported phishing threats as the biggest risk to security in that same timeframe, with 90% indicating that phishing attacks have impacted their organisation. More than half said clicking on phishing emails was the highest risk behaviour they observed and a full 28% admitted that attackers had successfully phished their users”.
I highlight these figures because they help provide context to the war against cybercrime that we’re fighting, reminding us that cybercrime is getting more complex, opportunistic & targeted. This CSAM is like no other, because it provides us with an opportunity to empower our teams to make the right security choices at a time when it is needed the most. Right now, is a pivotal moment in the struggle for control of our online world, as workforces become more remote and are exposed to increased cybersecurity risks. Criminal organisations and scammers are diving into the tiniest of gaps in our cybersecurity strategies.
CSAM is a timely opportunity to renew our focus on filling those gaps in this period of heightened risk. It assists in making our employees more resilient and improving our first line of defence. Sharing tips with our teams on picking strong passwords, for example, or reminding them to safeguard connected devices with multi-factor authentication (MFA) can go a long way in thwarting cyber-attacks that hold the potential to cause catastrophic damage. Some of these may be reminders to practice the basics, but as Microsoft states, the importance of going back to the basics can never be underestimated: “Given the leap in attack sophistication in the past year, it is more important than ever that… people focus on the basics, including regular application of security updates, comprehensive backup policies, and, especially, enabling multi-factor authentication (MFA). Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.”
Knowledge is power, and CSAM allows us an opportunity to share learnings, and protect our networks, communities, businesses & teams. Use it to revisit conversations with your CISOs on enhancing your cybersecurity strategies, including the technologies & processes currently in place. In the context of email security for example, we know that nine out of 10 businesses are being impacted by phishing, even when most have an email security solution in place. We can’t assume that’s as good as it gets, especially with email-based cybercrime evolving in speed and sophistication every day. Don’t accept that risk. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard 365 to complement Microsoft 365.
One of my favourite things about CSAM’s theme this year is the importance it places on the fact that everyone has a role to play in the war against cybercrime. It reminds us that securing our businesses’ data and networks hinges on the actions of every single member of our team. Whether it’s the CEO, CTO or a newly hired employee, everyone is a potential vulnerability, and also an asset.
Let’s continue playing our part and #BeCyberSmart not only during this month, but all year long. You can begin by sharing these 5 cyber reminders from NCSA with your teams that can assist in improving their cyber hygiene:
1) THINK BEFORE YOU CLICK
If you receive an enticing offer via email or text, don't be so quick to click on the link. Instead, go directly to the company's website to verify it is legitimate. If you're unsure who n email is from-even if the details appear accurate-or if the email looks "phishy," do not respond and do not click on any links or open any attachments found in that email as they may be infected with malware.
2) WHEN IN DOUBT, THROW IT OUT
Links in email, tweets, texts, posts, social media messages and online advertising are the easiest way for cyber criminals to get your sensitive information. Be wary of clicking on links or downloading anything that comes from a stranger or that you were not expecting. When available, use the "junk" or "block" option to no longer receive messages from a particular sender. Don't trust those links.
3) LOCK DOWN YOUR LOGIN
Create long and unique passphrases for all accounts and use multifactor authentication (MFA) wherever possible. MFA will fortify your online accounts by enabling the strongest authentication tools available, such as biometrics or a unique one-time code sent to your phone or mobile device. Use password managers to generate and remember different, complex passwords for each of your accounts.
4) SHARE WITH CARE
Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it might affect you or others. Consider creating an alternate persona that you use for online profiles to limit how much of your own personal information you share.
5) GET SAVVY ABOUT WIFI HOTSPOTS
Public wireless networks and hotspots are not secure, which means that anyone could potentially see what you are doing on your laptop or smartphone while you are connected to them. Limit what you do on public WiFi and avoid logging in to key accounts like email and bank accounts. Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection.
Have a great Cybersecurity Awareness Month, everybody!
