Since 2004, October has been celebrated as Cybersecurity Awareness Month, previously called National Cybersecurity Awareness Month. Now in its 19th year, Cybersecurity Awareness Month is a collaborative effort between government and industry to raise cybersecurity awareness nationwide and help ensure that all Americans have the resources they need to be safe and secure online.
This year’s campaign theme is “See Yourself in Cyber” and represents that cybersecurity is ultimately about people, which means seeing yourself in cyber no matter your role.
This year, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) have identified four key areas where we can all take action to protect our presence online and work to keep others safe. These same concepts can be used to help secure your radio station websites and any other system that touches the internet.
Think Before You Click
The concept means that you should always be looking for phishing attempts. This is true in general but applies to anyone who is a website manager or administrator. Anyone in this role is likely very familiar with receiving emails from their website advising of updates or comments that need to be moderated and new front-end submissions like contest entries, events, etc. Most administrators do not access the admin panel daily, so emails are often critical to the site management workflow.
Whenever you receive an email from your website, it is best to check that any links do not contain domain names from other websites before clicking, or better yet, log into the admin panel directly and navigate to the page that needs your attention instead of clicking on the link.
Even more important than checking links in the emails you are used to receiving is checking links in emails you aren’t expecting. Scam e-mails are getting better at looking legit. And the links they contain can be manipulated to enable a complete account takeover, among other malicious activities. These types of attacks can be avoided by remaining vigilant and checking the actual URL used. You can often hover over a link within any e-mail to see the URL address.
Keep Your Software Updated
One of the best ways to keep a website secure is to ensure that any software being used is regularly updated with the latest security updates. In WordPress, this means keeping your core WordPress version up to date and any themes or plugins installed. Automatic updating of the WordPress core was added in WordPress 3.7, and WordPress 5.5 added the ability to update themes and plugins automatically.
If you partner with a website service provider, they are likely doing these for you in the background. But if you maintain a website, ensure you always have the most up-to-date themes, plugins, and server software, like keeping your PHP version current. Older versions of PHP were prone to attacks.
Most targeted attack attempts we have seen are attempts to manipulate vulnerabilities in outdated code. As threat actors become aware of vulnerabilities, they also know they can successfully exploit them because of the number of administrators who allow outdated plugins to remain active on the website. The simple act of updating all the site software is one of the simplest ways to prevent the success of an exploit attempt.
Use Strong Passwords and a Password Manager
In our 10+ years of doing radio station websites, we’ve only had one hacker intrusion, and they gained access to the website because of a weak password.
It can’t be stated enough that passwords must be as strong as possible. The stronger the password, the lower their chance of an intrusion. Longer passwords are considered more secure, with current recommendations calling for a minimum of a 16-character password wherever possible.
Creating, storing, and remembering passwords can be a pain for all of us, but the truth is that passwords are your first defense against cyber criminals and data breaches.
Each password should only be used to log into a single account. This means that individuals should have strong and unique passwords for every account they have, from their website to e-mail and everything in between.
While the requirement to use a unique password for every account may sound like overkill, there is a good reason for it. Suppose a criminal has a username and password for one account. In that case, they’ll use that combination on a variety of other accounts, including bank accounts, hoping that you are reusing credentials on multiple websites.
Using long passwords that are unique for each account can seem intimidating, especially once you consider that the average person has around 100 different accounts that need passwords. This is where password managers come in. Most password managers can automatically generate secure passwords and securely store those passwords to copy and paste into login forms easily. So, there’s only one password for you to remember – the password to the password manager.
Several password managers are available, all with their own features. Ultimately, which password manager you use is far less important than the fact that you are using one, so use the one that fits your needs.
Enable Multi-Factor Authentication
We all use passwords to access our websites, email, streaming TV services, bank accounts, etc. We are usually forced to change our combinations periodically in the hopes that we’ll stay just a bit safer. But the truth is that, on their own, passwords no longer provide an appropriate level of security.
Do you have a Google account? One password gives you access to Gmail, Calendars, YouTube, Analytics, and a host of other services that might allow you to use a Google account. In 2017, Google admitted that hackers steal almost 250,000 web logins weekly. That number could be even higher now. And given how many services are attached to that account, each incident can be incredibly dangerous.
Fortunately, more companies are recognizing these risks and acting accordingly. More than half of enterprise companies use multi-factor authentication (MFA) to protect their users, which is rising yearly. If you haven’t considered this technique, it’s time to start.
When you enable MFA in your online services (like email), you must provide a combination of two or more authenticators to verify your identity before the service grants you access. Using MFA protects your account more than just using a username and password. According to Microsoft, users who enable MFA are significantly less likely to get hacked. Why? Because even if one factor (like your password) becomes compromised, unauthorized users will be unable to meet the second authentication requirement, ultimately stopping them from gaining access to your accounts.
Any form of MFA is better than no MFA. So, always enable it if you have the option to do so.
Cybersecurity is a Team Effort
National Cybersecurity Awareness Month is a great time to review our personal and professional security hygiene. Remember, cyber security is a team effort. Encourage everyone on your team to change their passwords. One employee’s mistake could lead to a virus installed on a work device, infecting your website or your on-air system. Establishing cyber security as a fundamental part of your station to help secure it from online threats is essential.