October is Cybersecurity Awareness Month! Celebrate with these tips.
Several months ago, there was a cybersecurity incident at my employer that was disclosed publicly this month, as required by federal law. The intrusion was discovered the same day the bad actor first got access, but it was just another reminder of how vulnerable our most important, personal information is to cyber threats.
With the recent incident, my employer is taking affirmative steps to increase cybersecurity. And that is a perfect kick-off to Cybersecurity Awareness Month.
Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, a time dedicated for the public and private sectors to work together to raise awareness about the importance of cybersecurity.
I have written a few emails to family and friends today to update them on best practices, and I am summarizing these best practices into one update post here so that everybody can learn more!
Four first steps for increasing your defenses
Random passwords. Creating random, unique passwords is the first line of defense against attack.
Multifactor authentication. There are generally five versions of multifactor authentication being used right now. The best is a physical key, a USB or NFC device that only you can use. Second best are passkeys, which are tied to your Apple or Google accounts and thus are easy to keep track of, but super secure. Third best are time-based codes, like with Google Authenticator. These are easier for accounts where you want to help somebody log in, but that invites risk. The fourth best are email codes, which are sent encrypted. The fifth best and should avoid are SMS codes, which are not encrypted.
Password manager. Using one or multiple password managers as it makes sense is an easy way to make living with random, unique passwords a lighter burden. I recommend using Apple iOS and Google Chrome password managers, which are free and sync across devices. You can also use other password managers from other developers.
Think before you click. When we are tired or curious, we can click on things that are not good for us. I did not click on my bank's email for Cybersecurity Awareness Month. I instead went to CISA and my bank directly just in case it was a spearphishing email.
Additional tips that I myself have developed
Random username. I do business with two financial institutions that both use usernames that are not your email. This was cool in 1995, but actually can act like a second password in 2024. I had both of them as something that would be easy to guess or search for, but updated them both to random, unique strings like a password. This will make it even harder to hack into my accounts.
Random email. In a similar fashion, there are many ways to create alias emails for your online accounts. About a year ago, I noticed that I was getting a lot of notifications of other people trying to reset the password on my Facebook account. Essentially, the bad actor knew my personal email address, and then would try to reset the password. This is a very serious threat if SMS text (unencrypted) is your only multifactor. So I set up an alias email that is not the same as my personal email, but redirects emails to my personal email. When somebody now tries to reset the password, it’s impossible to verify the email address on file. It worked!! No more attempts anymore.
Happy Cybersecurity Awareness Month! Take a half hour today to reset important passwords to random, unique passwords, especially for targeted accounts like online banking or fintech apps.