The Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have identified four key areas where we can all take action to protect our presence online, and work to keep others safe.
Think Before You Click
The idea behind this concept is that you should always be on the lookout for phishing attempts.
What this means is that threat actors are aware of the emails that business owners are used to receiving, and can likely duplicate them with relative ease. Whenever you receive an email, it is best to check that any links do not contain domain names from other websites before clicking.
Even more important than checking links in the emails you are used to receiving is checking links in emails you aren’t expecting. By remaining vigilant and checking the actual URL being used, these types of attacks can be avoided.
Update Your Software
One of the best ways to keep secure is to ensure that any software being used is regularly updated with the latest security updates. This means keeping your core software version up to date.
The majority of the targeted attack attempts we see are attempting to make use of vulnerabilities in outdated software. As threat actors become aware of vulnerabilities, they also know they can find success in exploiting those vulnerabilities because of the number of business owners who allow outdated software to remain active. The simple act of updating all of your software is one of the simplest ways to prevent the success of an exploit attempt.
Use Strong Passwords – and a Password Manager
It can’t be stated enough that passwords need to be as strong as possible. Threat actors have been looking for ways to get into user accounts since the dawn of the modern era of computing, and they have a number of tools at their disposal to guess or “crack” passwords. The stronger the password, the lower their chance of success. Longer passwords are considered more secure, with current recommendations calling for a minimum of a 16-character password wherever possible. Each password should only be used to log into a single account. This means that individuals should have strong and unique passwords for each and every account they have from your banking to Gmail and everything in between.
While the requirement to use a unique password for every account may sound like overkill to some, there is a very good reason for it. A type of attack known as credential stuffing is easily prevented simply by using unique passwords. Credential stuffing consists of using known usernames and passwords to try to log in to as many accounts as possible. If credentials from an account are leaked in a data breach, stolen through phishing, or otherwise obtained by a malicious actor, they are often able to gain access to multiple accounts simply by using those same credentials in other accounts, such as Gmail, banks, and of course your website.
Another common method of guessing a password is what is known as a dictionary attack. This type of attack utilizes techniques like trying lists of common passwords, or even seemingly random strings, in the password field to attempt to find one that provides access to the account. In the last 30 days, Wordfence blocked 4,239,859,063 password attack attempts, which highlights the importance of using a strong password to keep malicious actors out of accounts.
Using long passwords that are unique for each account can seem intimidating, especially once you consider that the average person has around 100 different accounts that need passwords. This is where password managers come in. Most password managers can automatically generate secure passwords, and securely store those passwords to easily copy and paste into login forms. There are a number of password managers available, all with their own set of features and use-cases. Ultimately, which password manager you use is far less important than the fact that you are using one, so use the one that fits your needs the best.
This is the one I use. You can use the free version but for $3/mo you can access your passwords on multiple devices. You can install it on your web browser and it will automatically ask you if you want to save the credentials when you log in. It will also randomly generate passwords for you when you sign up for services. There’s also a mobile app so it will help you on ALL your devices.
This one is also $3/mo. You can create, autosave and autofill passwords. Browser and mobile apps help you use this seamlessly on ALL your devices. There’s also family plans so you can protect everyone.
Enable Multi-Factor Authentication
While strong passwords are important, enabling multi-factor authentication (MFA) is one of the most effective methods of preventing unauthorized account access. According to details provided in a White House press briefing, 80-90% of all cyber attacks can be prevented with the implementation of multi-factor authentication (MFA). There are various forms that MFA can take, but the basic idea behind it is that you are using something you know (password), along with something you are like biometrics or something you have such as a smartphone or usb device, to provide access.
What makes MFA so effective is the fact that it requires at least one additional form of authentication that a malicious actor is not likely to possess with the first factor. This means that even if a threat actor obtains a username and password through a phishing scam, they still won’t have access to the smart card, MFA token, or other additional form of authentication required. Most MFA methods are also relatively simple for the authorized user to utilize, and combining this with strong unique passwords that are stored in a password manager can even be more convenient for the user than trying to remember password variants that work with the various password requirements of their accounts.