Cybersecurity awareness month

Cybersecurity Awareness Month, or Cyber Month, has been going strong every October since 2004.

It started as a joint effort by the U.S. Department of Homeland Security (DHS) and the National Cyber Security Alliance (NCSA), aiming to raise awareness about the importance of staying safe online.

The goal was simple: help individuals and businesses protect themselves from the growing number of online threats.

Fast forward 20 years, and here we are. Still working together to spread awareness and make the digital world safer for everyone. Each year brings a fresh theme, and this year, it’s all about ‘Secure Our World’.

What are the ‘Secure Our World’ topics?

Cybersecurity Awareness Month 2024 is focussed on four key areas.

Be secure

Use strong passwords and a password manager

Extra protection

Turn on multifactor authentication

No gaps

Update your software regularly

Be vigilant

Recognise and report phishing

Overconfidence in cybersecurity

You might be wondering, “why is this campaign still necessary after 20 years?” Despite all the progress made, there’s still a significant gap between confidence and reality when it comes to cybersecurity.

From what we’ve seen firsthand as a business, and what external reports confirm, many organisations feel overly confident in their cybersecurity posture. This often contrasts with the realities they face, particularly after experiencing incidents like ransomware, insider threats, malware, or phishing attacks.

paw prints, carrot, building and a vault

Use strong passwords and a password manager

We are poor at creating passwords. People think in similar ways, and subsequently the patterns we use to put a password together are also very similar.

According to Kapersky, smart AI-driven algorithms cracked 87 million passwords in under 60 seconds. To top this off, AI can now analyse keystrokes very quickly, making it easier to break passwords.

So what can we do to help combat this? Last year, the NCSC and other organisations suggested using three unrelated words for passwords. Make sure each password is unique for every service you use. This way, if one password is compromised, it won’t affect other accounts.

To create truly strong passwords, use a password manager. Password managers help us create unique and strong passwords without having to remember them ourselves. The best part? You can use them to generate and store complex passwords for you.

But strong passwords alone aren’t enough.

Turn on multifactor authentication

Despite the benefits of MFA, adoption varies significantly. While over half of businesses worldwide implement some form of MFA, only 4% utilise phishing-resistant MFA, which provides a stronger defence against sophisticated attacks, including those leveraging social engineering tactics.

Example services you can use for MFA:

  • Microsoft Authenticator: This mobile app generates time-based codes for logging into various services, providing a reliable second factor.
  • FIDO2 Keys: Hardware tokens, such as YubiKeys, use public key cryptography to provide a strong, phishing-resistant authentication method.
  • Certificate-Based Authentication: This method uses digital certificates to authenticate users, ensuring that only devices with the correct certificates can access the system.
  • Third-Party Passkeys: Solutions like Google Passkeys or Apple Passkeys use public-key cryptography for passwordless authentication.

Less secure options like SMS and voice forms of MFA are also available, but please consider the security implications of using these.

Why are we highlighting this? Because not all MFA is created equal. Watch our video on ‘How to Bypass MFA’ and you’ll see what we mean.

Update your software

When a pop-up appears asking you to update your software. Do you accept or decline?

It’s easy to click decline. But this seemingly simple decision can have major consequences. Although it’s tempting to click “Remind me later” and continue working, updating your software is critical to the security and efficiency of your system.

Many organisations are reluctant to update their software because they’re afraid of change, don’t want to stretch their budget and are comfortable sticking with what they know.

How can hackers exploit this?

  1. They often start by scanning networks for systems running outdated versions of software. Tools like Nmap can detect software and its version and show whether it’s out of date.
  2. Once they have found outdated software, hackers turn to publicly available databases such as the Common Vulnerabilities and Exposures (CVE) list, which lists known vulnerabilities.
  3. Armed with this information, hackers use exploit kits or their own scripts to exploit these vulnerabilities.

For example, they could use a known exploit to gain unauthorised access, inject malware or steal sensitive data. These attacks are often automated and allow hackers to quickly attack multiple systems.

Regular software updates are important because they close these vulnerabilities and make it harder for hackers to succeed. Without updates, outdated software remains an easy target for cybercriminals, which can lead to security vulnerabilities and significant damage.

Recognise and report phishing

Phishing attacks have become more sophisticated. This has resulted in a 52% increase in impersonation and social engineering attacks. Why is phishing such a significant threat? Because it exploits human vulnerability.

Businesses are putting tremendous amounts of energy and emphasis into employee security and awareness training. On top of this, reducing the volume of phishing emails that are coming into your organisation is simply not going to happen. So, we must be proactive, not reactive and take the burden off our employees.

Email hygiene

The basics of email hygiene (SPF, DKIM and DMARC) validate the authenticity of email domains, ensuring that the originating source is legitimate. But simply enabling these protocols isn’t enough; they must be configured and monitored. For example, where similar domains are created and established these need to be blocked immediately.

AI and email security

As attackers increasingly use AI to craft sophisticated phishing campaigns, such as typo-squatting and deceptive domains, traditional email security tools are being evaded. This is where modern AI-driven behavioural email security comes in. It adds crucial layers of protection before emails reach users.

How does it help? AI and machine learning strengthen email security by analysing both incoming and outgoing emails, detecting anomalies and suspicious patterns to identify potential threats. These are sandboxed, investigated, and tested against behavioural analytics to verify legitimacy. All before reaching the end user.

Resources for Cybersecurity Awareness Month

Security configuration checklist

A staggering 88% of UK companies experienced a cybersecurity breach in the last 12 months. To help improve your security posture, we’ve created this handy checklist of maintenance tasks.

cloudguard security configuration actionable checklist
How to bypass multifactor authentication

How to Bypass MFA 

Not all forms of multifactor authentication offer the same level of protection. Watch our video to see how hackers utilise social engineering to bypass MFA in real time.

cloudguard critical chatter banner

Critical Chatter

Stay updated on the latest cybersecurity news with Critical Chatter, curated by our security analysts. Subscribe on LinkedIn for weekly insights into attacks, trends, and news.

Need more help? Book a free chat with our cybersecurity experts to get answers to your biggest challenges. No sales pitch. Just free advice.