As we close out Cybersecurity Awareness Month, the last week’s theme is “Cybersecurity First” which essentially is urging all of us to think about cybersecurity and take steps to better protect ourselves. Too often we trade out convenience for cybersecurity, particularly when it comes to password management. It is far too easy to just re-use our passwords everywhere rather than remember a bunch of different passwords or use a password manager, right?! But in failing to adhere to cybersecurity best practices, we open up ourselves to attack when our information is compromised because we did not put cybersecurity first.
We so often talk about cybersecurity best practices in the industry but I like CISA’s recent spin on listing out the most common “bad” practices that we and our organizations do that make us more vulnerable to attack. Naturally, the first bad practice concerns passwords. Why does passwords always top the list? It is because we continue to do so poorly at it! Year after year, despite all the jokes, we keep seeing the old “123456” password topping the list of the most common, “Terrible, Horrible, No Good, Very Bad” passwords found in the past year’s data breaches.
But enough about passwords already, let’s talk about some of the other bad cybersecurity practices that CISA has identified which are using obsolete, end-of-life software and single-factor authentication (somewhat tied to passwords!)
Obsolete, End-of-Life Software
Can you believe that Windows XP is just turned 20 years old? Despite support halting in April of 2014, the operating systems is still used by almost 0.60% of Windows users. While that percentage is tiny, it actually equates to approximately nine (9) million computers worldwide. That’s nine million computers that haven’t received a good security patch in nearly 7.5 years, other than the emergency WannaCry security update in 2017.
Other than operating systems, there are the software programs that run on top of the O/S that are also vulnerable to cyber-attack that need to be regularly maintained. IT and cybersecurity teams need an accurate and up-to-date software inventory so that they can tackle the monumental task of enterprise patch management, which continues to be a struggle for many organizations.
The use of single-factor authentication, especially to critical systems, is another cybersecurity bad practice that CISA is concerned is too prevalent. Whether it is access to critical infrastructure or a simple log-in to your bank account, we need to be using two-factor authentication (2FA). Enabling 2FA is fairly easy and while it may take a couple extra seconds, the extra step goes a long way in further securing our accounts and access to critical systems. 2FA is one way that credential stuffing attacks, such as with Ring, can be stopped in their tracks due to the extra verification step.
Cybersecurity Can Be Easy #BeCyberSmart
Cybersecurity is a vast field of a variety of different solutions but basic cybersecurity protections are simple and can go a long way in protecting us and our data but only if we put cybersecurity first.