It’s October, which means it’s time for pumpkin spice, changing leaves and National Cybersecurity Awareness Month (NCSAM). Started 17 years ago by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS), this month is dedicated to raising awareness about the importance of cybersecurity and for sharing resources to be safer and more secure online. Here at OneLogin, we take cybersecurity seriously and connect with this month’s NCSAM theme, “Do Your Part. #BeCyberSmart.” This is especially important in today’s landscape of digital connection and remote work due to COVID-19, we wanted to share some tips and resources for protecting yourself in cyberspace.
Tip #1: MFA everything
Our first tip is to set up multi-factor authentication (MFA) on all of your personal and professional accounts. What is MFA you ask? MFA is an additional security system that verifies a user’s identity by requiring more than one form of authentication. There are three typical types of authentication factors:
- Something you know, such as a password or PIN
- Something you have, such as a badge or smartphone
- Something you are, such as a biometric, like fingerprints or voice recognition
By adding a second factor of authentication, or MFA, to your accounts you can help prevent some of the most common types of cyberattacks, like phishing, brute force attacks and credential stuffing. Let’s say your password is compromised, it’s likely that you use this password across multiple, if not all, of your accounts. Should a bad actor attempt to infiltrate your account using this compromised credential, it wouldn’t be enough to access your account because a second factor of authentication would be required.
Sound complicated to set up? It isn’t with the OneLogin Protect Authenticator App! Our app is free to use, available on Android and iOS mobile and smartwatch platforms, and can act as a second form of authentication for multiple accounts. When prompted for the second factor of authentication, you can simply respond to a push notification on your smartphone or watch during the login process, or enter a one-time password if your device isn’t connected to the internet. We created a quick 1 minute video on how to set up OneLogin Protect to walk you through this simple process. In the words of NCSAM, “If you connect it, protect it”!
Tip #2: Think before you click
According to Security Magazine, more than 3 billion fake emails are sent worldwide every day! A TechRepublic study warned that, on average, organizations are facing around 1,200 phishing email attacks each month since the onset of COVID-19. These e-mail scams are going to be part of our day to day reality and we all have a responsibility to think before we click on anything sent to our inbox. Wondering how you can spot a phishing email? Here are some tips to help you filter through those messages:
- Legit inquiries will not request sensitive information via email - most likely, if you receive an email requesting sensitive information, like your password, credit card information or tax numbers, it’s a scam. Should you receive an email like this, do **not **click and enter your information. Instead, contact the company directly to test the validity of this request.
- Check the email address and domain - oftentimes scammers will use email addresses that are very similar to the company or person they are impersonating. Check to ensure there are no alterations, especially to the domain name, of the sender. For example, if you receive an email from firstname.lastname@example.org, it’s likely not a legitimate email from Paypal who’s domain name would simply be paypal.com.
- Grammar and spelling errors are big indicators - this is probably one of the easiest ways to recognize a spam email. Legitimate emails should be well written and grammatically correct. If you notice the body of the message isn’t making sense, mark it as spam and move on.
- Requesting you click on an attachment or link - be very wary of emails requesting you to download something or click on a link. Clicking, without thinking, could enable hackers to download viruses or other malware to your computer, compromising all of your data. Check to be sure this is from a legitimate source and when in doubt, don’t click!
Following these simple steps to double check suspicious emails could be the difference between getting hacked, or diverting a hacker. If you’re an IT or security professional at your company, be sure to run security checks across your organization with test emails and do regular security training.
Tip #3: Do not use the same password for everything
Remember earlier when I mentioned that more than likely you’re using the same password across most, if not all, of your accounts? This is a huge vulnerability that puts your personal and professional data at risk. There are over 15 billion stolen credentials floating around the darkweb. If that one password you’ve been using for all of your accounts since the beginning of the Internet is included, you’ve now given hackers access to your data.
Sound overwhelming to have a different password for every account? It doesn’t have to be. Forbes wrote a great article on how to create unique passwords for every account and it involves coming up with a formula to use for all of your accounts that enables different, hard to guess passwords, yet easy to remember. They suggest templatizing your passwords as such:
- An alphabetic sequence - a word that’s meaningful to you, maybe a nickname or your favorite spot to vacation, but shortened to use only part of the word. For example, if your dream vacation is to sit on a Greece island, like Mykonos, you might make your sequence ‘Konos’.
- A number sequence - a simple pattern of at least 4 numbers, possibly categorizing the numbers with different categories, such as 2442 for financial accounts or 4664 for email accounts. You could safely document these categories and the associating starting number to ensure you don’t forget it, but without giving the whole password away.
- An identifier - this is specific to the account you’re logging into. For example, you might use the first and last letter of the account name, like Hulu would be HU and Forbes would be FS. Create an identifier pattern that’s easy to remember.
- A symbol sequence - create a 4-digit sequence that is specific to the account type you’re logging into. Maybe it’s based on the number sequence for that login - so for instance, 2442 becomes @$$@ by simply holding down the shift key.
Following that template, a strong password might be Konos2442HU@$$@. By using this template across all of your passwords, you’ll get used to entering in different credentials for each account but it will also be easy to remember. Combine that with MFA to ensure all of your accounts have the highest level of protection. You should also regularly check if your passwords have been compromised on haveibeenpwned.com. Concerned about your employees using compromised credentials that could put your organization at risk? OneLogin’s SmartFactor AuthenticationTM uses Compromised Credential Check to check your user’s passwords against a database of compromised credentials to prevent the use of stolen passwords.
Start with these three tips to ensure you, your family, and friends are following strong security passwords and protecting yourselves against cyber security threats. Don’t shy away from discussing these topics with your loved ones, or your company, because at the end of the day, being hacked is costly, damaging and possibly detrimental to you or your business’ livelihood. A simple chat about security can help. Interested in finding out how OneLogin, the Number One Value Leader in Identity & Access Management (IAM), can build secure, scalable and smart identities for your workforce or customers? Contact us for a customized demo today and #BeCyberSmart.