Our Top 3 Cybersecurity Awareness Month Tips That Won’t Break the Bank

At LMG Security, we feel like every month should be cybersecurity awareness month! However, we recognize that not everyone is as into cybersecurity as we are. So, whether you have a mature cybersecurity program or you are working with a small budget, we want to share three inexpensive cybersecurity policies and processes that anyone can use to quickly improve your organization’s cybersecurity.

This Cybersecurity Awareness Month, Start with the Low-Hanging Fruit

How did we narrow our list and settle on these three recommendations? Our goal is to share the top three low-hanging fruit changes you can easily and cost-effectively implement NOW. Nothing that requires extensive budgets and tons of research – just simple things that can make a big impact and reduce your risks. This does not to discount the importance of cybersecurity software tools and service – that is a whole different conversation. Fast and actionable is the theme of this blog.

Three Ways to Improve Your Cybersecurity NOW

1. Provide regular cybersecurity training for everyone in your organization. The most common cause of a data breach is human error. According to the 2021 Verizon Data Breach Investigations Report (VDBIR), social engineering, and phishing accounted for over 80% of the successful attacks. All it takes is one person to download an infected file, click a malicious link on social media, or answer a suspicious phone call, and a hacker could steal your data or lock every file in your organization. If you implement one change during cybersecurity awareness month – it should be to focus on training. Ideally, for three different groups within your organization.

You should start with general awareness training for every employee. It’s crucial that you train every member of your organization to be cyber aware – this can dramatically reduce your odds of a financially devastating ransomware, business email compromise or other data breach. Whether you subscribe to a security awareness training portal with built-in phishing tests, provide monthly cybersecurity tips and articles to your employees, or do a quarterly training – however you can afford to start, just start if you haven’t already. In fact, you can download free tip sheets you can email directly to your employees about phishing prevention, password security and remote work safety and get started right now!

But employees are not the only group that needs regular cybersecurity awareness training. It is also important that you provide regular advanced training for your IT team. Are they trained to handle a cybersecurity incident? Do they know how to respond effectively and minimize losses? If not, they should. This can significantly impact how much time it takes to get your organization back online as well as how much it costs.

There is one more group in your organization that should also have specialized cybersecurity training – your executive team and Board of Directors. Cybersecurity risks are business risks. Executive and board level training on current threats can be eye-opening for members of your leadership team. It will help them understand cyber risk as a critical organizational threat, rather than a topic that primarily concerns the IT team (for more information read our blog series on how to build a strong cybersecurity culture). The training for these stakeholders should not only cover cybersecurity risks and mitigation options, but also how much risk they are willing to accept, and whether they want to transfer risk (for example, insurance). With data breach costs and remediation reaching $4.24 million according to the Ponemon Institute’s Cost of a Data Breach 2021 report, cybersecurity training for your team members is a drop in the bucket of your potential financial risks. If your organization does not have a strong security culture, cybersecurity awareness month is a great time to spotlight this need at an executive team meeting. If you are looking for a training source, we also offer turn-key, managed cybersecurity awareness training for employees that includes phishing simulations, and online or in-person training for executives and IT teams.

2. Implement Multi Factor Authentication (MFA). MFA is an added layer of protection you can add to most accounts that verifies it’s really you who is accessing your account and not a hacker. Most MFA programs ask for two out of three of the following factors:
   1. 1. Something you know – such as a username or password
      2. Something you have – a physical token or authenticator app for example
      3. Something you are – such as a fingerprint or retinal scan

An attacker likely will have only one of these factors, such as a password. The extra MFA factor is a simple way to keep hackers out of your account. We can’t emphasize enough how important it is to use MFA everywhere possible. This applies to both personal and organizational accounts. We see so many breaches as a result of stolen credentials – many of which could have been easily avoided by requiring all employees to use (what is most of the time) the completely free MFA option on their accounts.

While knowledge-based authentication systems are easy to set up, they can easily be subverted by criminals with access to the right stolen secrets. If you have MFA and are wondering how you can increase your security maturity during cybersecurity awareness week, consider what type of MFA to implement. Many organizations are shifting away from knowledge-based authentication (i.e., something you know – like your pet’s first name. WAY too many people give away this information in social media “polls” and “games”. Please don’t participate in those types of posts!). You should consider alternatives for authentication that don’t rely on static secrets. Many organizations now use authenticator apps, issue hardware fobs such as the Yubikey for authenticating employees, or set up biometric authentication using fingerprints or facial recognition. While it can take time and training for your community to get used to a new form of authentication, these alternatives are growing in popularity. Whatever path you choose, some form of MFA is better than none.

3. Ensure you have good cyber hygiene basics.As with all types of malware threats, having the basics covered can go a long way to reduce risk. Eliminate outdated operating systems from your environment, proactively patch all systems, and deploy antivirus with automatic updates. Monitor for systems with missing patches or lapsed antivirus. In fact, a recent study found that 42% of respondents reported that their breach was due to an unpatched vulnerability. Patching is free and generally pretty simple – make sure that you keep up-to-date or implement a patch management system to close this cybersecurity gap.

Another inexpensive cybersecurity hygiene component is implementing password managers for all employees. In this day and age, we need passwords for everything, and our brains can only store so much of that information by itself. Implementing a secure password manager can be a cost-efficient way to help your community resist attacks. A password manager is secure software that stores your passwords in an encrypted vault on your computer, or in the cloud. Password manager programs such as LastPass, Dashlane, 1Password or KeePass are popular choices. If you use a cloud-based password manager, make sure to use multi-factor authentication and a strong master password to protect your vault. With a password manager in place, your team can choose unique, strong passwords, without having to remember them all.

All three of these tips are inexpensive but highly effective ways of limiting your cybersecurity risks. If you haven’t implemented these policies and processes yet, we hope you will use cybersecurity awareness month as a way to introduce these ideas to your organization! You can implement these programs in house, or if you need an extra set of hands and want to supplement your in-house team’s expertise, contact us. We are happy to help.