As Cybersecurity Awareness Month winds down for 2023, we’ve released a cornucopia of information about security and privacy in the digital world — including four blog posts from NIST experts whose work focuses on developing best practices for staying safe and secure online.
What are the main things you as a consumer can do to protect your own security and privacy? Here’s what our four blog authors had to say.
Enable multifactor authentication, or MFA, to prove you are who you say you are online. MFA uses a combination of:
• something you know, such as a password;
• something you have, such as an authentication application on your phone; and/or
• something you are, such as fingerprint or face recognition.
“Multifactor authentication has proven to be extremely effective to protect against modern automated cyberattacks,” said NIST’s David Temoshok in his post, because “it takes more than a password to secure your accounts online.” Not every account or organization you encounter online offers MFA, but you will often see it used with banking, email, social media and online stores. Activate MFA whenever possible. The extra few seconds it takes adds a lot of security to your online life.
Use strong passwords and a password manager. Passwords should be long, unique and hard to guess — characteristics that can make them hard to keep track of if you have a lot of them (as most of us do nowadays). Creating effective passwords does not always come naturally and can create security and privacy problems for people of all ages, as NIST’s Yee-Yin Choong and Meghan Anderson discuss in the second Cybersecurity Awareness Month 2023 NIST Blog Series post. People tend to create passwords using concepts reflecting the state of their lives, such as movie titles, video games, or pets’ names. If these concepts turn up elsewhere in their online social media posts, it could compromise an individual’s security and privacy. Children often get their earliest exposure to technology under parental supervision, so adults should learn good password creation and protection strategies, and then pass these strategies along to their kids.
Use software that gets regular updates. Software is nearly everywhere. It’s not just in your computer, but also in smart appliances and Internet of Things (IoT) devices that connect to networks — making all these devices attack targets. Software updates not only deliver new features to a device, but they also help keep its cybersecurity defenses current. In their post, NIST’s Michael Ogata and Paul Watrobski recommend seeking out and using software that either gets updated automatically or that you can update manually. “One of the simplest actions you can take to improve the protection of your finances, data, safety, etc. is to install software updates as soon as they are available,” they write. “If you don’t, you’re putting yourself and your company at greater risk.”
Learn to recognize and report phishing attacks. You’ve (hopefully) realized that a Nigerian prince doesn’t have a princely sum he wants to deposit in your bank account, but writers of phishing emails are always looking for new ways to convince you they have a legitimate need for you to click a link or provide some sensitive information. Their strategies are always changing. NIST’s Shanée Dawkins and Jody Jacobs focus on helping organizations train employees to recognize and report phishing emails. Stay updated on your organization’s training, and then help people you know to practice good cyber hygiene. “For phishing threats, people can be a target via our work email, personal email, text messages, even phone calls,” they write in their post. “We want to help people recognize phishing threats so that they remain vigilant with their technologies.”
For even more usable guidance about all four of these tips, check out NIST’s page on Cybersecurity Awareness Month.
Also check the return address on emails to verify it's valid. Some spam emails will have the correct name but once you look in the email address, it different. This also goes for banks emails.
Thank you, it is a great article. Unfortunately the bad news is that millions of Social Security Numbers are available on some normal websites, with the last 4 digit exposed, and in the Darknet ++ one can get the full number, then using a simple search on public sites for full name, one can have other info, like addresses... and then creates a havoc... Is there a tool from Gov to request the removal/wiping out of personal information that are advertised as 'public' . These information in these 'normal' websites are not from Social websites or the like, but from states websites and the like. I understand that we can ask the Credit agencies to put a freeze or a lock on our credit report, but still I don't fell good, having all my personal information exposed practically to the world. I was told that one needs to hire some company to do the removal work. But would I make things worst by trusting that company by giving additional information?
Hi, Dean. Thanks for your question. The Federal Trade Commission has resources on identity theft you might find helpful - https://www.identitytheft.gov/#/Info-Lost-or-Stolen.
NIST Framework Core: This component includes a set of cybersecurity activities and outcomes. It's designed to be intuitive and use simple, non-technical language to help teams communicate. The Framework Core is broken down into three parts: functions, categories, and subcategories.
Implementation Tiers: These tiers include:
Profiles: These profiles connect the functions, categories, and subcategories to an organization's business requirements, risk tolerance, and resources. Profiles can be thought of as an executive summary of everything done with the previous three elements of the CF.