October is Cyber Security Awareness Month, The US Cybersecurity and Infrastructure Agency (CISA) and National Cyber Alliance (NCA) call for organizations to focus on the fundamentals of cyber security. So we caught up with Tessian’s Head of Risk and Compliance, Kim Burton, to find out what they are and what they mean for your organization. Watch the video below or read the transcript.
So one of the things that’s really exciting about starting your security journey is that there are things that are actually very, very easy to do.
And these are true for everyone. It doesn’t matter if you’re an employee somewhere. It doesn’t matter if this is what you’re doing at home trying to protect your friends and family. The key core components of where security starts are…
That means long, strong, and unique. You can store those in a password manager, and with that password manager you want to pair that two-factor authentication on every account that you have if possible. Not every account allows for two factor authentication, but everywhere that you can. You want to use multi-factor authentication,
Make sure you’re always keeping your machine updated!
What I mean by that is, make sure that when you’re posting on social media, you’re being careful about the kinds of information you reveal. And note that you’re also protecting your friends and family, your business when you’re posting online. So you want to just be careful about the kind of privacy implications that that could come about.
Report suspicious emails
And then, when you see something uh make sure you talk about it with your coworkers. If something seems a little bit off, send it to your security team. Report fishing emails uh, and remember that you’re in a community, protect each other.
Hosting a security open day
There are all kinds of different activities that you can run for Cybersecurity Awareness Month. Having a security party where you all come together and discuss secure solutions that the company specifically requires and relying on people at the business to present their expertise to other coworkers like doing brown bag lunches that are focused on security components.
You can use your employees to actually do a pretend ‘hack the company’ event where you can encourage them throughout the month to name different security concerns that they see. Maybe someone’s left their laptop unlocked, or maybe they noticed people aren’t badging in consistently. Or maybe you’re trying to encourage them to wipe down whiteboards – a security scavenger if you will. Have a prize at the end of it. You can get people to design security posters. Your employees know what secure behavior looks like, and they actually get very excited to talk about the knowledge that they have.
What’s hard is if someone’s coming in and top-down, telling them very aggressively like waving a stick and saying “you will do these things”. A lot of these folks have worked other places. They know what they need to be doing, they just need to be empowered to do it. So let them show what knowledge they have and encourage them to talk about it with you, so that you can maneuver exactly their knowledge to be exactly what the business needs. You can make it so that they have the opportunity to talk about it, teach their peers, and then encourage them to grow from where they’re at.
You can have other security events like an Osint scavenger hunt. So Osint is Open Source Intelligence Gathering. That would be maybe a couple of employees gather a bunch of different photographs around the Internet and you ask your folks to identify where they are.
It’s amazing how quickly people can identify locations from photographs, and they think they’re not going to be good at this and they’re like “I’ve never done this before, there’s no way I’ll be able to tell from this corner of a building where this is located in the world”.
But then you give them five minutes to think about it, and they start saying “You know that type of tree doesn’t grow anywhere else”, or “you know the angle of the sun there seems like it could be in this region of the world” It’s amazing how fast people like start to to figure out these things. And that teaches them how attackers think, that teaches them how malicious actors are going to react.
And it’s fun. You’ve changed it into a game, but what they come away with is; “Oh, okay, I was able to do this in half an hour of activity. What could someone do with a month? I’ve got to be careful. I have a duty to protect myself. I have a duty to protect my friends, and I really need to protect the business”.
It helps them really see the practicality of of the events that they’re doing.