October is a special time of the year. It is officially autumn, which means you will fetch your favorite winter jumpers from the cupboard and get a pumpkin spice latte from your favorite coffee shop.
But the month is also when we, as an industry, celebrate Cybersecurity Awareness Month (CAM).
It’s fantastic that we have CAM to bring much-needed awareness to the masses, particularly during the hybrid work environment where users are now more susceptible than ever to social engineering attacks like phishing.
Yet, as an advocate, I am continually adapting how I deliver cybersecurity awareness. Really, the focus of cybersecurity awareness has shifted from being an educator or trainer to the behaviors or outcomes that you are seeking based on the information you are trying to disseminate.
And I am not the only one that has felt this change...
In light of this, my fellow advocates Anna Collard, Roger Grimes, Jacqueline Jayne, Erich Kron, James McQuiggan and I banded together to share our stories and examples of how we have helped change security behavior in our loved ones. As security advocates, it is our duty to educate as much as possible and what better place to start than with the people in your inner circles.
The following are real-life examples, tips and advice you as infosec professionals can use to share with your own friends and family to illustrate more secure behaviors.
Tip 1 – If it seems too good (or bad) to be true, then 100% ignore it
If you get a call from someone claiming to be from your bank, delivery service or broadband service, stating there has been an issue involving your account and they require further information from you, always verge on the side of caution. Scam callers are rife, constantly stealing information and duping vulnerable people, with some even threatening to switch off a person’s internet and phone lines. I had relatives that this has impacted, so I provided security advice on how to deal with these scammers, giving tips and reassurances that if they hung up, nothing bad would happen. The longer scammers have you on the phone, the more likely they will successfully obtain the sensitive information they desire. The best thing to do is remove yourself entirely from the conversation to protect yourself and your data. Now, my family can spot a scam call instantly and will hang up within three seconds before the threat actors can say anything further.
Tip 2 – You’re never too old to improve your security
Staying safe online isn’t just limited to the younger generation. Technology impacts everyone, even those who have retired or were introduced to it later in life. If anything, senior citizens are among the most vulnerable to cyber scams. This could be a parent, grandparent, uncle and aunt or even a neighbor. But, in general, this age group has missed out on the opportunity to learn about cybersecurity – something we take for granted. This is where we all need to take care of our loved ones and educate them on the dangers online and how to spot scams – financial and romance scams, in particular, impact this age group the most. Communicate the dangers in the simplest form and do not burden them with technical terms. Keep the conversation going whenever possible and check they are using strong passwords, that they don’t overshare on social media and that their devices are being kept updated. My mother, for instance, takes great pride in ringing me whenever she hangs up from a scam caller pretending to be from Microsoft because I’ve explained Microsoft would never call its customers. The same can be said for banks, mobile providers or other key service providers.
"Where we all need to take care of our loved ones and educate them on the dangers online and how to spot scams"
Tip 3 – How to spot a scam and keep up to date on the latest scam
Scammers use various methods to dupe victims, including phishing, social engineering, SMS messaging, and even in real life. This can be daunting, especially for those less aware. Here are some pointers to be vigilant of:
- The scammer will initiate communication and it will come unexpectedly
- The sender is someone you haven’t had any previous contact with and will request you to do something you haven’t done before, e.g., click a link or download a file or open a document
- The message is time sensitive or has a stressor urging you to do an action quickly
Never carry out the request if you are contacted as described above and always try to review and verify the sender, the website or the link. By developing a healthy scepticism, you are already taking the right steps forward in reducing the probability of being scammed. Using messaging channels like WhatsApp is a good way to keep your loved ones updated on the latest scams. Share news articles, warnings and advice when these threats arise and be aware that scams are often topical and can reflect what is in the news cycle (tax season, data breach or a holiday).
Tip 4 - Initiate MFA and avoid password reuse at all costs
Password reuse (reusing the same password for multiple accounts) is a common mistake many make when using applications and systems. For example, I had a friend reach out to me stating that their Facebook account had been hacked into, with the cyber-criminals successfully changing the password. Despite contacting Facebook customer services, they could not regain access to her account. My friend explained she had used the same password for other accounts, which was how we established this was how the threat actors obtained access to her Facebook account. Multi-factor authentication (MFA) was not enabled either and I explained that going forward, MFA needed to be used as it is an additional layer of security. Furthermore, authenticator apps and password managers are recommended to ensure unique usernames and passwords are used on every account. Doing so reduces the likelihood that multiple accounts will be hacked.
Of course, there are different ways in which we can help improve cybersecurity awareness and security culture, but having a month dedicated to it is a step in the right direction. The relationship between humans and technology is becoming inseparable. Unfortunately, the vast majority are still unaware of the cyber dangers they present. So, to ensure they don’t fall by the wayside, we, the cybersecurity industry, must be responsible for making the change and educating them about cybersecurity.