Experts Speak Out: Managing Digital Risk During NCSAM – and Beyond

Oct 04, 2018 | by RSA

From breach notifications to threat intelligence and industry research “du jour,” it’s easy to get caught up in the latest cybersecurity headline. Whether you’re “in the business” or not, concern continues to grow over staying safe online.

National Cybersecurity Awareness Month (NCSAM) – celebrating its 15th anniversary in 2018 – aims to help consumers and businesses understand the dos and don’ts of cybersecurity best practice – both at home and at work – every October.

Does that mean everyone in the industry is pausing to observe this “holiday?” Hardly, but as former industry journalist Selena Larson noted on Twitter: “It’s easy to make fun of, but a lot of people still don’t use basic security practices. It’s good to remember not everyone knows everything, and if you have the opportunity, help others learn more (no matter the month).”

In that spirit, RSA asked a handful of industry experts for their tips and best practices for keeping individuals and/or organizations secure - not only during National Cybersecurity Awareness Month, but throughout the year.

Here’s the advice they shared:

Utilize native multi-factor authentication capabilities within your email client.
“Sometimes you need to get physical with cybercriminals. Turn on two-factor authentication (2FA) or multi-factor authentication (MFA) in your email app (a simple switch in your Gmail, AOL or Yahoo mail, or your corporate email) and your phone becomes a physical key to unlock your email account. Cyber thieves know they've been defeated when they hack into email accounts with stolen credentials and get stopped in their tracks when they're prompted for the secret code. They don't have your key, and they're not getting in! If you don't have 2FA / MFA turned on in your email app, then do it today. It's the quickest and easiest way to improve your personal security.” - Steve Morgan, founder and CEO, Cybersecurity Ventures

Back it up!
“Back up your data regularly and make sure your antivirus software is up to date. Backups should not only be stored onsite, but offsite as well.” – Shira Rubinoff, President, Secure My Social

Avoid Granting “Full Access” Admin Privileges for Cloud Platforms.
“When administering cloud platforms (e.g. Azure, AWS, GCP) and SaaS (e.g. Office365, SalesForce, ServiceNow), never grant an admin account "full access.” Instead, use dedicated admin accounts with limited privileges specific to their roles and responsibilities. For example, an admin account for adding and removing users in Office365 doesn't require the ability to read a user’s email. Admin accounts are targeted by cyber criminals, and by separating roles and permissions properly, you reduce the surface area in which an attacker can cause damage. This is especially important when admin accounts are used for DevOps, SecOps, and general process automation.” - Gunter Ollmann, CTO, Security (Cloud and AI), Microsoft

Embrace FIDO or multi-factor authentication – across all devices!
“Make a goal that this time next year will be the time when all of your users have embraced MFA or FIDO for their business-critical logins. The tools are getting better, FIDO is being supported with more products, and even Facebook and Google, and to some degree Twitter, now support multi-factor authentication (MFA) logins. Many recent breaches would not have happened, or have had less impact, had accounts been properly secured with multiple authentication factors.” – David Strom, industry writer. Read David’s full blog on NCSAM here.

Automation will help address human error.
“Security is a people issue: think poor user hygiene and the Internet of Things, (IoT), DDoS attacks using baby monitors, etc. How do we solve for people issues with billions of connected devices? Education of consumers and automation of security. I’ll place 99.9% of my bets on automation as human nature is prone to possessing knowledge and failing to execute on what is known. How many people do you know that fail to update passwords and yet know the risks whilst still shedding tears of outrage when the inevitable ‘not if, but when’ comes calling? I’ve worked with many of the world’s largest telecommunications companies and what I am most encouraged by is the security prospects with virtualization in 5G enabling robust automation of authentication, threat detection, and rapid response times. Fasten your 5G seatbelt, it’s sure to be a wild ride.” – Tamara McCleary, Founder and CEO, Thulium

Don’t rely heavily on smart phone-based authentication.
“Make sure you have a non-phone method available to recover your online existence in emergencies. All too often we link account recovery processes to an email address or online account that, because it is so important, uses multi-factor authentication (MFA) to grant access. If you lose your smartphone or, worse yet, someone hijacks and assumes ownership of your phone number, do you still have a path to recovery? For example, if your online banking requires MFA to your (only) listed phone number or via an email account, and the email account in turn requires smartphone MFA to authenticate or reset your password, do you have an alternative way of resetting the account? Think carefully what losing your smartphone or phone number means to access your online accounts, blocking accounts, or even changing passwords.” - Gunter Ollmann, CTO, Security (Cloud and AI), Microsoft

# # #

October is National Cybersecurity Awareness Month (NCSAM). Organized by the National Cyber Security Alliance, NCSAM is a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online. To join the industry discussion, follow @StaySafeOnline or search #CyberAware on Twitter.

Author: RSA

Category: RSA Point of View, Blog Post

Keywords: Cybersecurity, Digital Risk, Digital Risk Management, MFA, Multi-Factor Authentication, NCSAM