Constangy Cyber Advisor 

This year’s theme is “Stay Safe Online,” and CISA recommends four steps for individuals and businesses to take, consistent with that theme:

• Use strong passwords and a password manager.
• Enable multifactor authentication.
• Recognize and report scams.
• Keep software up to date.

Each of these recommendations is discussed in more detail below.

Strong passwords and password management tools

Although it is tempting for individuals to use the same password on multiple sites, that is not a safe practice. Weak or reused passwords remain one of the leading causes of breaches, making it essential to use unique, complex passwords for personal and professional accounts.

Another good precaution is to use encrypted password managers. Password managers safely store complex, unique passwords. By doing this, and by tracking credential access, password managers allow individuals to securely store (and retrieve) their passwords. In the business context, they also help organizations meet internal policy standards and show regulators that “reasonable security measures” are in place.

Multi-factor authentication

MFA adds an extra layer of protection. After the user logs in by user name and password, the MFA requires entry of a one-time code, a biometric scan, or hardware token which generates a one-time code. Even if a password is compromised, MFA can block unauthorized access to sensitive accounts.

For individuals and businesses, MFA is increasingly a regulatory expectation under laws such as the Health Insurance Portability and Accountability Act, which among other things governs the privacy of individually identifiable medical information; the Gramm-Leach-Bliley Act, which governs privacy of consumer financial information; and SEC cybersecurity disclosure rules.

Recognize and report scams

Online scams like phishing attacks are becoming more sophisticated, often impersonating legitimate companies, vendors, or even regulators. However, they frequently have “red flags” that users should be on the alert for. These include the following:

• Typos, misspellings, and grammatical errors.
• Generic or ambiguous greetings.
• Requests for personal information.
• Urging the recipient to click on a link or open an attachment.
• An email address that doesn’t match the email address for the company that is supposedly sending it.
• Strange or abrupt business requests.

Employees should be trained not to reply to a suspicious email or text, or to open any attachments. Rather, they should be trained to pause, verify the authenticity of the sender, as well as the content of the communication, report the suspected “phish” to their IT or compliance team, and follow their recommendations.

Keep software up to date

Automatic updates are one of the simplest, most effective ways to avoid vulnerabilities. Outdated software creates an easy entry point for attackers, and could expose personal data or companies to regulatory scrutiny for failing to maintain “reasonable security measures.”

Whenever possible, individuals and businesses should enable automatic updates and ensure that any and all downloads come directly from a trusted source. This applies to both enterprise systems and personal devices.

Awareness builds resilience

As cyber threats evolve, awareness and compliance must evolve with them. Follow Constangy’s Cybersecurity & Data Privacy team for resources on how to “Stay Safe Online” during Cybersecurity Awareness Month and beyond.

The Constangy Cyber Team helps businesses of all sizes and industries develop comprehensive incident response plans and provides support during a breach. We are here to help! Contact us 24/7 at breachresponse@constangy.com or by phone at 877-DTA-BRCH.