Happy National Cybersecurity Awareness Month! In an era where it feels like threats are coming at us from all angles, it’s more crucial than ever to be vigilant and proactive in protecting your digital assets. Every October, this nationwide initiative—started by the U.S. Department of Homeland Security and the National Cyber Security Alliance—aims to raise awareness about the importance of cybersecurity and promote best practices for staying safe online.
While cybersecurity holds a certain significance during the month of October, we believe it’s a year-round initiative. In this blog post, we'll be sharing our most top-of-mind cybersecurity tips and trends to help you stay secure not only during this awareness month, but all year long.
Also fair warning: This isn’t your average “tips and tricks” roundup. Yes, there will be practical tips (it is Cybersecurity Awareness Month after all), but I’ve also included some hot takes that I hope provide just the right amount of spice.
1. Small Things Can Make a Big Difference
Sometimes, it’s the small things that can make the biggest impact—that’s definitely the case with measures like multi-factor authentication and password security. These are fundamental basics of security, but they don’t always get the attention they deserve.
Let's explore some of these crucial yet often overlooked measures and why you shouldn’t toss them aside so easily.
Multi-Factor Authentication (MFA)
MFA should be like Frank’s RedHot sauce—put that sh*t on everything. MFA adds an extra layer of protection by requiring two or more methods of authentication to verify your identity. This makes it harder for cybercriminals to access your accounts, even if they have your password.
Although MFA seems like a minor inconvenience for some, it's a simple yet powerful deterrent against cybercriminals.
For example, at Huntress, we see a ton of business email compromise (BEC) attacks that could have been thwarted if only more users had MFA. At this point, not enforcing MFA is like locking your door and taping your keys to the outside so that anyone can grab them.
Here are some tips to think about when enforcing MFA:
- Implement it everywhere! MFA should be enabled for all critical applications and services—and this is a non-negotiable for any user with administrative power.
- Instead of using text- or email-based authentication, opt for an authenticator app like Duo Mobile or Google Authenticator. These apps can generate a more secure code or even use your fingerprint or facial recognition to log in, which adds an extra layer and substantially reduces your risk.
Access Control and Least Privilege
Implementing access control measures might seem like a small administrative task, but it's a simple way to set more secure controls around your networks, users, and devices. Here are some tips:
- Consider using conditional access policies to increase security measures for suspicious or irregular login attempts. This includes things like blocking access for unknown or unsupported devices, or controlling access based on the network location to prevent users from logging in from countries they are not expected to be in.
- Implement the principle of least privilege (POLP) in your organization. POLP means only giving employees the access they need to perform their job functions. Restricting access to sensitive data and systems reduces the risk of unauthorized access should a user’s account fall into the wrong hands.
While it may appear routine, managing passwords effectively is a linchpin of basic cybersecurity. Use these quick tips to strengthen your password security and avoid common password pitfalls:
- Don’t use easily guessed passwords, such as “password” or “qwerty,” or ones that use personal information, user, or network names.
- Do use unique passwords. Try out a passphrase or use different combinations of words, numbers, symbols, etc.
- Don’t reuse passwords across multiple accounts or store them in easily accessible places (looking at you, sticky notes).
- Do use a password manager to securely store and generate strong passwords for each of your accounts.
2. We Haven’t Solved EDR Yet
Ten years ago, Anton Chuvakin organized a handful of products into a group called “endpoint threat detection and response” during his time at Gartner. Since then, endpoint detection and response (EDR) has become a market-accepted category and mandatory capability by most cyber insurance underwriters today.
However, with the emergence of EDR came way too many *DR acronyms (MDR, XDR, the list goes on and on). This means many organizations are still grappling with the intricacies and figuring out which flavor of DR is right for them.
In the case of EDR, these are the most common challenges we are noticing:
Managing EDR: Some organizations struggle to manage their existing EDR solutions effectively, which can leave them overwhelmed and vulnerable to threats. EDR solutions are inherently noisy. Without the right resources, the effort it takes to manage EDR and its alerts can exceed the availability or expertise of the average in-house security team.
Outsourcing EDR: Fully outsourcing EDR analysis, management, and maintenance can be cost-prohibitive. Some EDR vendors (but not all EDR vendors 😉) even put EDR management behind expensive tiers or add-ons. Consider the costs and benefits carefully of the tool or tier that you’re paying for.
Vendor Management: Be aware that vendors managing multiple products may have less agility and expertise compared to a team that fully owns and manages its own product.
Recommended Reading: Need help finding the right EDR solution for your business? Start with our EDR Buyer’s Guide.
3. Identity Is the Next Frontier to Protect
Let's face it: ransomware and endpoint security are old news—the new target for adversaries is your own personal identity.
Identity-based attacks using compromised credentials are continuing to surge, probably as a way to get around defensive measures like EDR. And what’s more, digital identities and profiles can be easily faked, especially with the advancement of AI, adding to the uncertainty.
As Joe Slowik puts it in this blog post, “Identity has become its own class of security.” Identity is something to be stolen, spoofed, or manipulated, especially in cases of business email compromise (BEC).
An example of this is invoice fraud, a common BEC tactic. This is when an attacker poses as a vendor and sends an invoice to an intended victim with their own account number. But attackers are upping their game with this tactic. They infiltrate the victim's account, set up rules to reroute incoming invoices to themselves, delete the originals to hide their tracks, and then tweak the invoices, replacing the legitimate account number with their own before sending them back to the victim.
Here are some ways you can stay vigilant against identity-based attacks and BEC:
- We said it once, and we’ll say it again: enforce MFA on all accounts that offer it.
- Scrutinize email addresses, URLs, and spelling in email correspondence, as scammers often use subtle variations to deceive their victims.
- Avoid clicking on links or opening attachments in unsolicited emails, especially if they request sensitive information or immediate action.
- Manually navigate to websites when entering personal information instead of following links from emails.
- Verify any requests for payment or financial information with a phone call before taking any action.
While National Cybersecurity Awareness Month reminds us that security is a collective responsibility, it should be at the forefront of your every decision. We hope these tips will help you stay informed about the latest threats and raise your cyber awareness—no matter the time of year.
Shoutout to Dray Agha, Joe Slowik, Kyle Hanslovan, Sharon Martin, Ethan Tancredi, and Henry Washburn for contributing their thoughts, tips, and hot takes to this blog post.