As part of our 2019 IAM Insight Jam, we’re having experts from across the identity and access management world participate in providing guest posts and insights! For this article, we’ve asked Andy Smith, Vice President of Marketing at Privileged Access Management provider Centrify to comment on cybersecurity awareness!
Take it away Andy!
4 Ways to Increase Your Cybersecurity Awareness and Thwart Attacks
By Andy Smith
October was National Cybersecurity Awareness Month, a time to remind all Americans about the importance of cybersecurity and help them take steps to be safer and more secure online. After all, the bad guys keep getting better at what they do. Last year, they racked up $2.7 billion in cyber thefts, a dramatic increase from $800.5 million in 2014, according to the FBI’s Internet Crime Complaint Center.
Each of us has a responsibility to protect ourselves and our organizations from cybersecurity threats, and not just for one month out of the year. However, people tend to adopt different attitudes and practices toward their personal and professional cybersecurity.
What can you do to protect yourself against modern threats both at home and in the office? Here are four cybersecurity best practices to live by in both your personal and professional life.
1. Make Your Password as Strong as Possible
Let’s face it: we’re all human. Humans do dumb things sometimes. That means some of us probably use the same weak passwords for multiple accounts in our personal lives. Even if our favorite sites make us change our passwords, we often do the bare minimum and change the least amount of characters we can get away with.
Everyone knows passwords should contain a mixture of upper- and lowercase letters, numbers, and special characters, but that doesn’t mean we do it. Use a password manager – it will create long, difficult passwords and manage them for you. It goes without saying that you should immediately change your password in the case of a known data breach. Modern password managers will even notify you and help you update them.
On the corporate side, it’s even more important to go above and beyond when it comes to password hygiene. Say, for example, you have a privileged account at work that gives you access to your company’s most critical systems and sensitive data. If you have an easy-to-guess password—or worse, a shared account with a default password—you are making that asset an easy target for attackers.
So, yes, strong passwords are a must but use the tools available like a password manager at home and at work. Your organization should enforce frequent password changes and use single sign-on (SSO). Privileged credentials should at least be stored in a password vault, and use federation and temporary token.
2. Learn to Love MFA
Multi-factor authentication (MFA), a technology commonly used in the corporate world, is now becoming more available in our personal lives. With MFA, the user is required to confirm their identity with another factor other than just a username and password. For example, receiving a code via text message or push notification to respond to before being allowed access.
A broad range of consumer apps—including most Google apps, banking apps, healthcare and insurance accounts, etc.— now offer or require these extra proof points. It’s a good way to ensure that access requests are “double-checked” before being allowed access, and MFA has become much less obstructive than in the past.
In a corporate setting, the same MFA practices used for “regular” employees should also be employed for privileged users. Why would an organization assume that a username and password for a database, container, or server doesn’t require an additional factor of verification? Organizations should start by implementing MFA Everywhere, an approach aimed at securing all business identities against compromised credentials without slowing down users. This also applies to privileged access, adding an additional security check at login, at the password vault, and at privilege elevation
3. Don’t Take the Phish Bait
Nowadays, many people are wise to emails with telltale signs like blurry logo images, misspellings, and off-brand messaging, but phishers have gotten smarter too. Recently, we’re seeing phishing continue to evolve. It’s not always emails that are used to hook you, it’s increasingly text messages (“smishing”) and other messaging platforms. It’s not hard to image phishing attacks coming over Slack or Zoom in the near future.
When it comes to corporate users, one of the common tactics cyber attackers use is spear-phishing, which targets specific users based on their role, rights, and responsibilities. A simple LinkedIn search can identify who in your organization might have privileged access, and from there, bad actors engineer a spearphishing attempt to try and obtain their credentials for the “keys to the kingdom.”
They find out as much about that person as they can, such as their company, role, organization structure, etc. They’ll send an “urgent” email from the employee’s boss asking for their credentials. The first step in stopping spear-phishing is training employees to recognize, avoid and report any suspicious emails or messages. Vigilance is still the best defense.
4. Minimize Your Attack Surface
How many connected devices are in your home? Some are obvious, like laptops and smartphones. What about smart thermostats, smart appliances, gaming consoles, baby monitors, or even your car? The list grows quickly when you spend time thinking about it. Each of these devices is a potential exposure point for cyber attackers who want to hack into your home network and gain access to your accounts. All it takes is one unprotected device to put your personal data at risk.
The increase in connections are an even bigger concern in the corporate world. Current estimates put the number of connected IoT devices somewhere between 20-30 billion globally, and there could be more than 75 billion connected devices by 2025. However, it’s not just connected devices that are increasing the threatscape. There are potentially trillions more attack surfaces in the form of cloud services, containers, Big Data projects, etc.
So, what can your organization do to address the growing threatscape? First, realize that the number of resources to protect is increasing exponentially, and each has to have its own identity. Managing local accounts on all of these is not practical. A centralized authentication federation service is paramount. Second, we are storing more data than ever in history. We must be vigilant.
Lastly, the old days of humans logging into servers is over. Now everything is automated. Services are talking to services. Strong access and least privilege controls must be automated too.
We all have an important role to play when it comes to protecting ourselves, our data, and our organization from cybersecurity threats. It’s incumbent on all of us to take the necessary steps to increase our resilience against cyber threats and better protect ourselves both in the home and at the office. That’s the only way we’ll beat the bad guys.
How to Learn More
Thanks again to Andy Smith of Centrify for his insights cybersecurity awareness! For more on cybersecurity awareness and more, check out the IAM Insight Jam using the hashtag #IAMInsightJam on LinkedIn and Twitter. And be sure to check out the updated 2020 Privileged Access Management Buyer’s Guide and 2020 Identity Management Buyer’s Guide.