National Cybersecurity Awareness Month 101 (& Why You Should Care)

6 minute read

If you’re reading this, there’s a good chance you fall into one of two camps: You either want to learn more about cybersecurity, or you are wondering why we need to have a “month” to celebrate just about everything under the sun these days. 

Either way, I’m glad you’re here. Because whether or not we think about it, our lives are increasingly spent in digital spaces. That means cybersecurity is no longer a “nice-to-have” (if it ever really was) but a “must-have.” It’s become as important as physical security, and with remote work, smart houses, and cars that are basically computers, a cyberattack has the potential to wreak havoc on your life in a very real way. 

So what is National Cybersecurity Awareness Month? National Cybersecurity Awareness Month takes place in the U.S. every October – though several countries are celebrating it too – and is led by the U.S. government and the National Cybersecurity Alliance. This month sheds light on the behaviors that play the most pivotal role in personal and professional digital safety. It’s part of the movement for greater preparation and planning for cyberattacks and protecting your data and your people. 

This year, National Cybersecurity Awareness Month theme is “See yourself in cyber” and is focused on four key behaviors, which we’ll briefly cover in this post.  

Download your copy of the Guide to External Cybersecurity.

Behavior 1: Enable Multi-Factor Authentication

You have access to dozens of passwords on a daily basis for personal and business use, and chances are some of them are reused across multiple platforms and sites. Unfortunately, this is big business for bad actors. In fact, more than 15 billion passwords are for sale on the dark web at any given time and 81% of breaches leveraged stolen passwords. As we know, breaches can not only result in identity theft but can have major business implications as well. 

There is good news: Multi-factor authentication (MFA) can prevent 99.9% of attacks according to recent research. There’s just one catch: most people – as many as half – have never heard of MFA. 

So what is MFA? MFA ​is authentication that goes beyond one password entry. It prompts a user to input a second set of verifying information such as a secure code sent to a mobile device or to sign-in via an authenticator app. MFA may ask for a PIN, secure question, secure token like a key fob that generates a code, or even biometric authentication.

You may have encountered this with banking apps, but the fact remains that it should be used for all business accounts and applications and should be implemented on a personal level as much as possible. 

A few of the most common places you should use MFA include: 

  • 1. On accounts with your financial info like banks, or online stores.
  • 2. On accounts with personal info, like social media.
  • 3. On accounts with info you use for work.

​​In other words, you should use it everywhere, as often as possible. 

This is one single behavior that can save you and your company thousands or even millions of dollars. As an added benefit, with MFA it will be easier to spot phishing sites (as they will not have the correct MFA access or validation). Ultimately, this is part of the proactive strategy to prevent attacks from both inside and outside of your traditional corporate perimeter

Behavior 2: Use Strong Passwords and a Password Manager

Often, a password manager is lumped in with MFA, but these are actually two completely separate elements. 

A password manager is typically a cloud technology that houses and encrypts all of your passwords. You might be familiar with the Google Chrome or Safari browser password managers, but there are others available. Password managers can often also help generate new passwords when needed. 

Why bother with a password manager? Because 70% of people admit using the same password for multiple accounts and 43% of adults have shared a password online with someone, according to recent data. For bad actors, that means there’s a major opportunity that if they can intercept one password, they can access multiple accounts – and when an employee uses the same password at home as they do for work it is a gold mine for threat actors. However, the same recent data found that 65% of people don’t trust password managers, despite their encryption capabilities. 

It’s important to note, a password manager alone won’t be much help if the passwords themselves are too easy to guess. 

When creating a password, try to avoid: 

  • Names of a spouse, child, or pet
  • Birthdays of yourself, a spouse, or a child
  • Easily guessable nicknames 
  • Sports teams or other subjects of your interest 

The best route is to randomly generate a password – or better yet, a passphrase, using completely unrelated terms that are very difficult to guess. Later this month, we’ll share a few of the most common passwords to avoid. (Psssst! That means you should subscribe to our blog using the form here to get early access to that post! 👉)

Behavior 3: Update Software

Raise your hand if you have seen a software or operating system update and clicked “ignore” or “remind me later.” 

Go ahead, raise your hand. We don’t judge. You’re not alone – the National Cybersecurity Alliance found that a third of all people say they sometimes, rarely, or never install software updates. 

This common problem is something malicious actors count on. Often, there are a vast number of common vulnerabilities and exploits, or CVEs, (like those discussed in our recent Quarterly Threat Landscape Report) that require updates and patches to address. 

Of all of the behaviors we will address this month, updating software is the simplest. Make sure you install software updates and patches strategically, especially those proposed by your company’s IT department. 

People often worry that patching will cause a greater issue, so as a rule of thumb you should always check with your company’s IT department before performing an update to make sure it is legitimate. 

Behavior 4: Recognize and Report Phishing

Before we discuss phishing, it’s important to acknowledge that anyone – no matter how technologically savvy or security conscious – can fall for a phishing link. Phishing is an incredibly common social engineering tactic. Social engineering itself accounts for 98% of all cyberattacks. Phishing or smishing (SMS phishing) is often done through legitimate looking impersonated social media pages and spoofed URLs and websites, making them hard to spot.  

Avoiding phishing requires personal and professional attention.  

On the business front, the importance of phishing attack and security awareness training for all employees cannot be overstated. Training should be company-wide and should train employees to look for suspicious links without clicking, avoid clicking any links from someone they don’t know, and checking the sender’s information before sharing any sensitive information. 

On a personal level, you must remain vigilant to watch for impersonation attacks through email, social media, and even app stores. Do not accept duplicate friend requests on social media, do not share private information through DMs, and be vigilant if someone requests money. 

Join ZeroFox for National Cybersecurity Awareness Month

For the month of October, ZeroFox will share deeper information on the four behaviors we discussed above. We encourage you to join and follow us on social media to learn more about how you can maintain proper cyber hygiene and stay safe online. 

You can also learn more about staying safe online and protecting yourself in the gray space online in our new whitepaper, The Guide to External Cybersecurity. Download your copy today

See ZeroFox in action