It’s not news to say that 2020 has changed many things; security has felt the impact too. So it’s not surprising that the theme for European Cybersecurity Month (ECSM) reflects the times we live in. This year’s awareness campaign focuses on avoiding online scams and threats that could put our money or data at risk.

European Cybersecurity Month is officially in October, and organisers have already been getting key messages out ahead of the campaign. This year’s motto is ‘Think Before U Click’, focusing on helping people to identify threats so they’re better prepared

It’s easy to see why this approach strikes a chord in 2020. Working from home became the default option for many organisations as a way to slow the spread of COVID-19. But this led to some people being more vulnerable than they normally would be. At home, they can’t always rely on the protective blanket of traditional perimeter security as they could in the office.

We can’t go on together, with suspicious mails

Home laptops doubling as work devices might not be as well protected with security software as a work-only system. Fake emails that might never have reached people’s inboxes now have a better chance of catching recipients off guard. Scams and frauds are a long-standing security risk.

The alert signalling the arrival of a new email can sometimes create an impression of urgency. Scammers and criminals rely on this feeling for their efforts to work. Links and attachments in email still account for the highest numbers of malware infections, as the 2020 Verizon Data Breach Investigations Report (DBIR) showed.

But as the ECSM advice suggests, it’s good to pause a moment and think twice before forwarding a message or opening an attachment. The best countermeasure against social engineering is time; taking precious seconds to stop and think – and to be sceptical. Is this message legitimate? Is it really from who it purports to be from? If you are unsure, ask someone you trust.

The wait

Suppose the email was requesting an urgent payment to a new bank account; doesn’t it make sense to slow down and ask: is this genuine? Better still, before acting in haste, why not confirm – ideally by a separate communications channel – if the supposed sender really did contact you. Pick up the phone and call the sender. Preferably, use a number you already have or find independently, and not any details in the suspicious email.

If you receive a suspicious email on your mobile device, wait until you are at your desktop PC or laptop to take a better look before opening, as you may have a chance to investigate more thoroughly on a bigger screen.

More than words

Another major security threat is weak passwords because they leave people open to having their accounts compromised. The ECSM campaign recommends three steps:

  • Create a strong password
  • Use a password manager
  • Avoid re-using the same password for different accounts.

By its nature, the ECSM advice is short and snappy, made for sharing on social media and reaching the widest possible audience. But there’s a lot to unpack in those bullet points. For instance, as we covered in a blog from last year, a long password isn’t necessarily a strong password.

We found an excellent graphic that highlights just how easy it is for an attacker to guess or break an easy password. Using data sourced from HowSecureIsMyPassword.net, Hive Systems showed that a four-character password is instantly discoverable if it only uses numbers, lowercase letters or a mix of upper and lowercase letters. By contrast, an 18-character password using numbers, upper and lowercase letters and symbols would take 7 quadrillion years to crack. The colour-coded graphic is a useful resource by itself or to share as part of a security awareness campaign.

The second and third points in ECSM’s advice are interrelated. There are many password managers available, as this article from ZDNet shows. Using one means you only need to remember one master password, and it ensures that you have a different login for every website or application you need.

Where possible, we also recommend going further than passwords alone by using MFA (Multi-Factor Authentication). MFA requires multiple forms of verification to prove someone’s identity when they sign into a website or an application. For example, as well as typing in a username and password, they might also get a prompt sent to their phone or a dedicated security fob. This increases the chances that the user is genuine. Whilst using MFA isn’t perfect and certainly not infallible, when you turn on MFA, your business accounts are 99.9% less likely to be compromised.

European Cybersecurity Month is a valuable campaign that highlights good cyber hygiene and security practice. And it almost goes without saying, the advice is suitable all year round. When it comes to security awareness, the following three tips are a useful guide:

  • Include senior staff and new hires in security awareness training initiatives
  • Keep regular contact between the team responsible for security and the users to ensure the correct security controls are in place to support the business need
  • Update employees regularly about the latest security threats, the measures in place to protect them, and why it’s important to adhere to security policies.

Other good sources of security tips include the Irish National Cyber Security Centre, whose guide to working from home has a good overview of threats and corrective actions. Likewise, the UK National Cyber Security Centre publishes high-quality free information about cybersecurity, and its guides for small businesses are especially useful.

If 2020 has taught us anything it’s that many people, and their organisations, can adapt in difficult circumstances. Let’s use that willingness to our advantage when encouraging good security behaviour through training and awareness.

 

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here