What do CISOs want for the holidays?

As we near 2022 and the holiday season, you as a CISO and your users have dealt with a lot in 2021. Your users are beginning to wrap up their projects and unwind from the year but your job as a CISO is never done. In the spirit of the holidays, here are a few holiday items you might be wishing you get from your users.

1. Digital Spring Cleaning

After a hard-working year, your users may be cluttered; things pile up, a lot of old or unwanted files are no longer needed or need to be re-organized. The holiday season is the perfect time for users to clean their devices and keep them secure and ready for the next year. 

Here’s how your users can clean their devices for 2022. 

1. Review their online accounts. Your users should delete any that they no longer use. They should also remove information in those old accounts that are no longer needed like saved credit cards or old documents in the company’s cloud storage. As a CISO, you’ll benefit from your users cleaning their online accounts as just one compromised user can inevitably spell disaster for your company. 
2. Update their devices. Your users should update their devices and applications to reduce the risks from malware and viruses. Every app and device update comes with additional security measures that help prevent cyberattacks. Additionally, users should delete unused applications to free up space and improve performance on their devices. 
3. Clean your web browser. Your users should clean up old browser data like stored passwords and autofill information and remove any data that is old or unused. 
4. Remove old digital files. Your users should clean out old emails, files, and downloads to remove the risk of old confidential data surfacing and to free up space for the upcoming year.

2. Secure Your Network

Because of the COVID-19 pandemic, your employees have been working at home or remotely, using their own Wi-Fi to log in and access confidential data and company-used applications. However, with everyone working remotely, each employee’s Wi-Fi network has become an entry point, giving hackers multiple entryways to break into your organization’s systems. 

Unlike the organization’s network on-premises, which is much more secure, your employees may not secure their network as effectively, leaving the company vulnerable to a cyberattack. Many users are unaware of the security risks of having a weak password to protect their Wi-Fi network, so as a CISO, for the holidays, you want to ask your users to update their Wi-Fi password and make it more secure.  

When your users secure their networks, it reduces the risk of a cyberattack succeeding.  

How can your users strengthen their network? 

1. Update their Wi-Fi password or add a password if there isn't one. If your users are still using the default username and password on their Wi-Fi, the easiest change is to change the Wi-Fi login to something more secure. Hackers can easily find the default usernames and passwords to Wi-Fi networks online, so making this quick change is a quick win. 
2. Use a Virtual Private Network (VPN). A VPN is a network that allows you to communicate over an unsecured network in private. It encrypts your data so a hacker cannot pinpoint your location or trace what you are doing online. Additionally, it alters your IP address, making it appear you are using your device from a different location. 
3. Keep your network private. When setting up your home network, your device is most likely publicly visible. This leaves your network vulnerable as hackers can determine which router you have, increasing the chance of attack. By keeping your network private, you are hiding it from the public view, making it more difficult for a hacker and anyone else to find. 
4. Update your router software. Like your phone and laptop, your router has device updates that contain software which when updated can protect your network’s security. However, unlike other devices, your router may not update automatically, so update it manually to make sure the newest updates are installed on your router and network. 
5. Keep your firewall on. Most Wi-Fi routers have a built-in network firewall that prevents attacks from threat actors, but they can also be disabled, so it’s important to check that your home router’s firewall is turned on. 

3. Update Old Passwords

As a CISO, if your users are already updating their Wi-Fi password, they should also update any other old passwords too. Spring cleaning is coming early, and the best practice for staying secure online is maintaining and updating old passwords.  

Here’s a tip: if you have your passwords saved on Google, Google can notify you if any of your saved passwords have been leaked or if your passwords need to be updated. 

Many of your users may use weak or simple passwords, and unfortunately, they’re most likely using that same password across all of their logins. The average user has 100 applications, but more than half of your users use the same password across all 100 applications. This creates a huge vulnerability. 

As a CISO, the biggest present your users can give you is to update their old passwords this holiday season. 

Using self-service password reset users can do this themselves, and you can help keep them safe by encouraging them to create stronger passwords instead of changing a single character or number.

Another recommendation is to use passphrases. Passphrases are naturally easier to remember as your users can easily remember a sentence rather than a long string of random numbers and characters. Also, passphrases easily satisfy password complexity rules and are more difficult for hackers to crack. 

4. Use Multi-factor Authentication (MFA)

The traditional method of logging in with a single factor like a username and password is fraught with security problems. Your users will generally use simple passwords that are easy for them to remember, but this comes with the consequence of it being easy for a threat actor to guess. Also, many users write down usernames and passwords on a sticky note or in some conspicuous place, making it easy for anyone to read and access. 

Today, more and more organizations are falling victim to data breaches because of having a single password that tends to be easy for hackers to crack. Many of the major critical infrastructure attacks, for example, the JBS and the Colonial Pipeline attacks, were due to a simple password.  

Instead, as a CISO, as a holiday present, having your users implement two-factor authentication (2FA) or multi-factor authentication (MFA) would be a dream. Both 2FA and MFA provide much more secure access than passwords. Threat actors need more than just the password to compromise your data, and so implementing a secondary form of authentication spells defeat for them and the holiday gift of staying safe for you and your organization. 

5. Delete Phishing Emails

Phishing attacks, while not new, have become increasingly common and effective this year. Many phishing attacks were centered around COVID-19 testing and the COVID-19 vaccine, catching many individuals off-guard. As a CISO, the last thing you want this holiday season is for your users to fall for a phishing attempt, so it's important to give them the gift of education on how to handle phishing emails. 

How should your users handle phishing attacks? 

1. If your users receive a phishing email or an email that looks suspicious, tell them not to open it or respond to it. Opening and responding to a phishing email can notify threat actors that there’s someone active on the other end of the phishing email, and it puts a target on your users’ device. Your users should delete the email immediately or leave it in the junk folder. 
2. Proceed with caution when there are images or links in the email. Even if the email looks like it’s from a trusted source, make sure that the links or images are trustworthy. Links in emails can lead to fake web pages designed to grab your users’ credentials, and images in emails can act as a beacon to notify the sender that the recipient (aka your user) is active. 
3. Report suspicious emails. If you or your user received a suspicious email from someone in a trusted organization, report the email or ask the organization if the email is legitimate.  
4. Don’t enter personal or financial information in pop-up windows even if the pop-up window looks official. If a link in a phishing email opens a pop-up window, close it by clicking the red X and deleting the email. 

Now comes 2022...

With a fresh and clean slate for the New Year, you and your organization can focus on more important details like investing more in cybersecurity measures or implementing Zero Trust for the entire organization. Also for 2022, keep up with the latest trends and news in cybersecurity, and subscribe to our blog!