Why You Can Trust CNET Cybersecurity Awareness Month: Time for a Security Check
Don't fall victim to cybercriminals. Here are some easy ways to shore up your personal online defenses.
October is Cybersecurity Awareness Month and a good time to batten down your online accounts.
It's October. In some parts of the country, the leaves are starting to turn beautiful fall colors, football is back in full force, Halloween decorations are popping up and pumpkin spice latte season is practically over.
It's also Cybersecurity Awareness Month. Hope you got that someone special something nice.
In all seriousness, while the 31 days of online safety may be a slightly ridiculous and completely made-up occasion, it's still a good time for a cyber safety check.
That means setting solid and unique passwords for all your online accounts, enabling two-factor authentication whenever possible, installing those pesky software security updates and doing your best to keep as much of your private information, well, private.
That all may sound daunting, but there's plenty of help out there for those looking for a place to start. Just ahead of this October, the Cybersecurity and Infrastructure Security Agency launched its first public service campaign in hopes that it will motivate consumers to be cyber smart.
Entitled Secure Our World, the effort includes the agency's first-ever public service announcement, which will air on TV stations across the country. It's designed to drive home the importance of basic cyber hygiene practices.
The campaign's website also includes helpful tools for consumers, small and medium businesses, along with tech producers, says CISA Director Jen Easterly.
"This truly is something that has to be about partnership, because it truly takes all of us to stay safe," Easterly said during a news conference announcing the campaign.
In celebration of Cybersecurity Awareness Month, here are a handful of easy tips from CISA and others designed to keep your online accounts safe.
Use strong passwords and a password manager
Passwords need to be long, random and unique. Once you get up to about 30 characters they become much harder to crack.
To make your passwords easier to remember, you can use a passphrase of a handful of unrelated words strung together, such as "GrandmafootballCheeseburgerhat" or "lamppostParisHotsaucetrophyhat."
Avoid personal details that can easily be guessed or answered by Googling or mining social media. Your dog's name, the model of your first car or the university you graduated from may be important to you, but they're bad password material. Don't recycle your passwords and use them on multiple accounts -- no matter how good you think they are. That way, you limit the fallout if one of your passwords is compromised.
That also goes for the personal questions and answers you use to reset those passwords.
Need help? Sign up for a password manager. It'll keep all your logins organized and secure. Using the password generator and manager built into your browser is OK too. While some of those options have been clunky in the past, they've gotten better. For example, you can now use Google's Chrome browser to autofill passwords into apps on an iPhone, as well as auto-generate new ones.
Always use multifactor authentication
If your password does get compromised, a second layer of protection will go a long way toward protecting your account. Multifactor authentication, also called MFA, two-factor authentication and two-step verification, requires that someone trying to access your account enter a second form of identification before getting in.
MFA works in a host of different ways. It could be a code generated by an app, a biometric like a fingerprint or Face ID, or a physical security key that you insert into your device. Yes, MFA slows down the login process. But if MFA is available, turning it on is a must.
One word of warning: If you can, avoid MFA systems that text a code to your smartphone. Why? SIM swapping, in which cybercriminals steal your phone number by calling your wireless provider and having it switch your number to a new phone and SIM card. It does happen, and if criminals take over your phone number, they'll get that text message too.
Beware of phishermen
These days, many cyberattacks and data breaches -- both big and small -- start with a phishing attack. These are scam emails or other kinds of messages that try to trick people into handing over money or personal information under false pretenses.
While most of them still show up as emails, phishing also now comes in the form of social media posts, text messages (smishing) and even QR codes (quishing).
These days, phishing is easier than ever thanks to the advent of readily available artificial intelligence tools like ChatGPT. They make it much easier for scammers, especially those who aren't native English speakers, to write nearly infinite numbers of legitimate-looking and highly customized emails.
Attackers could be pretending to be a charity looking for donations to help the victims of hurricanes or the war in Ukraine. They also could masquerade as a member of your office's IT team or a friend who wants you to check out a great deal at your favorite retailer.
Regardless of their form, the objective is usually the same: The attackers are looking to steal credentials, money or personal information.
It may seem old school at this point, but cybercriminals are still phishing for credit card information.
Work-related logins are some of the most sought out by cybercriminals because they could potentially be used to access corporate systems and their data, but even the logins for your personal emails and social media accounts have value. If compromised, they could put you in danger of financial fraud or identity theft, or be used down the road in another scam.
To avoid being scammed, experts say, ignore emails and other messages from people and groups you don't know, and don't open any attachments. They could contain computer viruses. If you're concerned about an email's authenticity, pick up the phone and call the person who supposedly sent it.
Better yet, help stop phishing by reporting it. If you're concerned about a work email, let your company's IT staff know. There's probably a dedicated "report" button for phishing and junk within your email app. The same goes for your personal email and social media accounts.
Consumers should be particularly careful when it comes to requests for cryptocurrency. Though banks might be able to make you whole in cases of credit card fraud, the same doesn't go for crypto, which is designed to be largely anonymous and untraceable.
Use antivirus software and keep all software updated
Good antivirus software can go a long way toward protecting you, but it needs to be kept updated so it protects you against the latest threats.
That goes for all of your devices too. Laptops, smartphones and your vast collection of internet-connected devices all need to stay up to date. The easiest way to do this is to enable automatic updates. That way you'll get the latest patches without ever having to think about it.
Don't forget about your router. It's the front door to your home network, so best to make sure it's locked.