Security Awareness Month 2022

TL;DR Security awareness month is upon us again!

Background

Since 2004, the President of the United States and Congress have declared October to be Cybersecurity Awareness Month, helping individuals protect themselves online as threats to technology and confidential data become more commonplace.

Once again we are celebrating security awareness month in Norway. This comes around every year in October, and serves to put a spotlight on all aspects of online security. This is important because security is not something you are ever “done with”. You can never say that you are 100% secure, unless you are disconnected from the internet, and even then it is practically impossible to achieve. It is ongoing work, and security competence / skill is quickly outdated.

NorSIS “sikkerhetsdugnad”

As a part of Security awareness month NorSIS has an offering to businesses in Norway for improving security focus. They host a “sikkerhetsdugnad” - people from different businesses with certain skills provide a practically free session for anyone that orders it.

NSM also has an offering this year, with free participation in their security course.

You can find a list of the sessions here.

Several of my colleagues in Sopra Steria (myself included), are delivering sessions this year:

Some cybersecurity tips

Here are some good generic tips, paraphrased from Berkeley’s security best practices:

Tip #1 - Enable Multi-Factor Authentication

According to Microsoft, your account is more than 99.9% less likely to be compromised if you use multi-factor authentication (MFA). SMS is not considered a secure MFA method any more, so the Microsoft Authenticator, Google Authenticator, or any other app is better to use.

Tip #2 - You are a target to hackers

Don’t ever say, “It won’t happen to me.” We are all at risk and the stakes are high - both for you personally and your organization.

Cybersecurity is everyone’s responsibility. By following the tips below and remaining vigilant, you are doing your part to protect yourself and others.

Tip #3 - Keep software up-to-date

Installing software updates for your operating system and programs is critical. Always install the latest security updates for your devices:

Turn on Automatic Updates for your operating system. Use web browsers such as Chrome or Firefox that receive frequent, automatic security updates. Make sure to keep browser plug-ins (Flash, Java, etc.) up-to-date.

Tip #4 - Avoid Phishing scams - beware of suspicious emails and phone calls

Phishing scams are a constant threat - using various social engineering(link is external) ploys, cyber-criminals will attempt to trick you into divulging personal information such as your login ID and password, banking or credit card information.

Phishing scams can be carried out by phone, text, or through social networking sites - but most commonly by email. Be suspicious of any official-looking email message or phone call that asks for personal or financial information. An example from Microsoft Teams by Marius Sandbu.

Tip #5 - Practice good password management

We all have too many passwords to manage - and it’s easy to take short-cuts, like reusing the same password. A password manager can help you to maintain strong unique passwords for all of your accounts. These programs can generate strong passwords for you, enter credentials automatically, and remind you to update your passwords periodically. Also passphrases are better alternatives than complex passwords. Length often trumps complex characters for humans to remember and use.

Tip #6 - Be careful what you click

Avoid visiting unknown websites or downloading software from untrusted sources. These sites often host malware that will automatically install (often silently) and compromise your computer.

If attachments or links in the email are unexpected or suspicious for any reason, don’t click on it.

ISO recommends using Click-to-Play(link is external) or NoScript(link is external), browser add-on features that prevent the automatic download of plug-in content (e.g., Java, Flash) and scripts that can harbor malicious code.

Tip #7 - Never leave devices unattended

The physical security of your devices is just as important as their technical security.

If you need to leave your laptop, phone, or tablet for any length of time - lock it up so no one else can use it. If you keep protected data on a flash drive or external hard drive, make sure their encrypted and locked up as well. For desktop computers, lock your screen or shut-down the system when not in use.

Tip #8 - Use mobile devices safely

Considering how much we rely on our mobile devices and how susceptible they are to attack, you’ll want to make sure you are protected:

Lock your device with a PIN or password - and never leave it unprotected in public.
Only install apps from trusted sources (Apple AppStore, Google Play).
Keep the device’s operating system up-to-date.
Don’t click on links or attachments from unsolicited emails or texts.
Most handheld devices are capable of employing data encryption - consult your device’s documentation for available options.

Tip #9 - Install antivirus/anti-malware protection

Only install these programs from a known and trusted source. Keep virus definitions, engines and software up-to-date to ensure your programs remains effective. Microsoft Defender for Endpoint or Windows Defender has become a good antivirus/local firewall. It is in most cases sufficient to keep your client safe.

Tip #10 - Back up your data

Back up regularly - if you are a victim of a security incident, the only guaranteed way to repair your computer is to erase and re-install the system.

In summary

Book one of our sessions, or any other session if you like. There is much knowledge to be shared here.

Stay secure! The most important thing you can do is enable MFA on all services you use regularly. This includes among others:

Facebook
Gmail
Outlook mail
Snapchat
TikTok
GitHub
iCloud
++