Welcome to Cybersecurity Awareness Month 2023
Since 2004, the President of the United States and Congress have declared October Cybersecurity Awareness Month, helping citizens protect themselves online as our technology, and threats to that technology, become more sophisticated and interwoven in our daily lives.
See Yourself in Cyber
This year’s campaign theme, created by Cybersecurity & Infrastructure Security Agency (CISA) — “See Yourself in Cyber” — demonstrates that while cybersecurity may seem like a complex subject, ultimately, it’s really all about people . This October will focus on the “people” part of cybersecurity, providing information and resources to help educate CISA partners and the public, and ensure all individuals and organizations make smart decisions whether on the job, at home or at school – now and in the future. We encourage each of you to engage in this year’s efforts by creating your own cyber awareness campaigns and sharing this messaging with your peers.
For individuals and families, we encourage you to See Yourself taking action to stay safe online. That means enabling basic cyber hygiene practices: think before you click, update your software, have good strong passwords or a password keeper, and enable multi-factor authentication (meaning you need "More Than A Password!") on all your sensitive accounts. For those considering joining the cyber community, we encourage you to See Yourself joining the cyber workforce. We'll be talking with leaders from across the country about how we can build a cybersecurity workforce that is bigger, more diverse and dedicated to solving the problems that will help keep the American people safe.
Throughout October, C&N will highlight key action steps that everyone should take:
- Think Before You Click: Recognize and Report Phishing: If a link looks a little off, think before you click. It could be an attempt to get sensitive information or install malware.
- Update Your Software: Don't delay -- If you see a software update notification, act promptly. Better yet, turn on automatic updates.
- Use Strong Passwords: Use passwords that are long, unique, and randomly generated. Use password managers to generate and remember different, complex passwords for each of your accounts. A passwords manager will encrypt passwords securing them for you!
- Enable Multi-Factor Authentication: You need more than a password to protect your online accounts, and enabling MFA makes you significantly less likely to get hacked.
Free Cybersecurity Services & Tools
As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will implement a process for organizations to submit additional free tools and services for inclusion on this list in the future.
The list is not comprehensive and is subject to change pending future additions. CISA applies neutral principles and criteria to add items and maintains sole and unreviewable discretion over the determination of items included. CISA does not attest to the suitability or effectiveness of these services and tools for any particular use case. CISA does not endorse any commercial product or service. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA. - https://www.cisa.gov/free-cybersecurity-services-and-tools
All organizations should take certain foundational measures to implement a strong cybersecurity program:
- Fix the known security flaws in software. Check the CISA Known Exploited Vulnerabilities (KEV) Catalog for software used by your organization and, if listed, update the software to the latest version according to the vendor’s instructions. Note: CISA continually updates the KEV catalog with known exploited vulnerabilities.
- Implement multifactor authentication (MFA). Use multifactor authentication where possible. MFA is a layered approach to securing your online accounts and the data they contain. When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement, ultimately stopping them from gaining access to your accounts.
- Halt bad practices. Take immediate steps to: (1) replace end-of-life software products that no longer receive software updates; (2) replace any system or products that rely on known/default/unchangeable passwords; and (3) adopt MFA (see above) for remote or administrative access to important systems, resources, or databases.
- Sign up for CISA’s Cyber Hygiene Vulnerability Scanning. Register for this service by emailing [email protected]. Once initiated, this service is mostly automated and requires little direct interaction. CISA performs the vulnerability scans and delivers a weekly report. After CISA receives the required paperwork, scanning will start within 72 hours and organizations will begin receiving reports within two weeks. Note: vulnerability scanning helps secure internet-facing systems from weak configurations and known vulnerabilities and encourages the adoption of best practices.
Get your Stuff Off Search (S.O.S.). While zero-day attacks draw the most attention, frequently, less complex exposures to both cyber and physical security are missed. Get your Stuff Off Search–S.O.S.–and reduce internet attack surfaces that are visible to anyone on web-based search platforms.
Cybersecurity Checklist for Small Businesses
The European Union Agency for Cybersecurity (ENISA) and the National Cyber Security Alliance (NCSA) have jointly drafted a checklist that provides baseline tasks that small business owners can implement and gain more peace of mind that their businesses, information, and employees are more secure online. The checklist elaborates on four cybersecurity challenges faced by small businesses. Download the one-page checklist here. https://staysafeonline.org/wp-content/uploads/2020/11/Transatlantic-Cybersecurity-Checklist_FINAL.pdf
|Cybersecurity may be a complex issue connected with technical solutions and measures, but it must be a part of the culture for small businesses as a successful cyber-attack can cause serious financial and/or reputational harm to any size of business.
|Lack of Remote IT Security
|As more employees log in to their home computers to work, more data and communications are being transmitted across insecure channels- ultimately leaving valuable business content exposed.
|High Cost of Cybersecurity Solutions
|The cost of technical solutions, organizational overhead, cybersecurity training, and cybersecurity expertise require funds that many businesses simply do not have.
|Increased Attacks such as Phishing
|Teleworking has opened new opportunities for cybercriminals through ‘urgent’ and ‘fear-based’ emails to trick online users into revealing personal information, click on malicious links or attachments, and inadvertently download malware directly on their computers.
HaveIBeenPwned.com is an online repository of email addresses and passwords that have been collected from publicly disclosed data breaches. Enter your email address and the site will tell you if that email address has appeared in data breaches and, if so, from which sites.
If you use the Chrome web browser, Google's Password Checkup extension will check your password against known data breaches when you sign into a site. This will not give Google your password, but wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you'll receive an alert."