October is National Cyber Security Awareness Month
No blog about National Cyber Security Awareness Month would be complete without the obligatory link to the Department of Homeland Security’s (DHS) official website on the topic – after all, they started it 9 short years ago.
There… now you may be asking what this has to do with Identity & Access Management (IAM). At Identropy, we provide Plan, Build, and Run services for IAM Programs. The Advisory Services IAM Kickstart is the cornerstone of Plan. In it, we develop strategy blueprints and roadmaps for IAM programs that allow clients to assess their current-state IAM capability maturity, identify their target-state, and develop a roadmap to close the gap.
Developing awareness through an education plan can be a key element of the roadmap. Certainly, many cyber attacks play on the naiveté of their targets. A perfect example is a phishing attack in which the attacker sends an email that looks just like something your bank might send, directs you to a website that looks like your bank’s, and then asks for your login credentials. The trick is that the website isn’t your bank’s -- it belongs to the fraudster and you could have figured this out if you only stopped, thought, and looked at the URL.
So I present my top 5 cyber-security education topics. I encourage you to borrow from this list and send an email to your workforce. Ask them to just stop, think, and act:
A mobile device is a computer.
Academically, most people get this point. But we are walking around with a significant amount of personal and corporate information on our devices. At a minimum, we should be locking our devices with hard to guess codes. We also need to think about the websites we visit and the apps that we download. All we’re asking for here is a sanity check – do I know what website or app I am visiting, and do I trust them?
Think about what you click on.
Nefarious websites are becoming ever more sneaky in the ways they push spyware and viruses onto your computer. Hopefully, you have up-to-date malware prevention software (you too, Mac users!). But an ounce of prevention is worth a pound of cure. Avoid sites that you do not trust. Also, be wary of shortened URLs like http://tinyurl.com/9exyvka (in this case, redirects to www.identropy.com - a safe website).
Get rid of infrequently used software.
One unnecessary risk most of us take is by keeping software on our computers (including mobile devices) that we rarely or never use. Old software can leave unpatched holes in an otherwise safe computing environment. Also, oft-used programs like Adobe Reader can be susceptible if they get out of date. Many of the updates they’re pushing your way are security updates.
Guard your password.
This, of course, means using complex, hard-to-guess passwords. It also means changing your password frequently and not reusing the same password on multiple computers. Personal password vaults like KeePass can help. But when you have identities across hundreds of applications, this can be hard. Make sure to use the strongest passwords on your financial sites including PayPal and your email. And finally, don’t forget to use hard-to-guess (or figure out) answers for “secret” questions. This is how accounts get hijacked the most – by guessing your dog’s name is actually “Spike” (PS: I found that on your Facebook profile).
Be wary of public computers.
Computers in hotel lobbies and libraries could have been compromised. Software like keystroke loggers could be capturing your password. Don’t type your credentials or credit card number into a public computer. Please. Don’t do it.
I’d love to hear others you think are important. I really think education could help mitigate a lot of the risk present in information security and IAM.