Cybersecurity Awareness Month – Behavior: Enable MFA to (Greatly) Reduce Risk Away

This year, Cybersecurity Awareness Month has changed up its typical approach of weekly themes and is focusing on four behaviors that are most important to #BeCyberSmart and stay safe online. The behaviors focus on the “people” part of cybersecurity to ensure all individuals and organizations make smart decisions personally and professionally. The behaviors that will be highlighted during the month include:

• Enabling multi-factor authentication
• Using strong passwords (and a password manager)
• Updating software
• Recognizing and reporting phishing

Members are encouraged to avail themselves of Cybersecurity Awareness Month resources to aide in security awareness and training curriculum to protect your utility and employees.

Enabling Multi-factor Authentication (MFA)

MFA leads the way this Cybersecurity Awareness Month. With the emphasis that CISA and others have been placing on multi-factor authentication this year, it’s no surprise it’s the leading behavior to be highlighted.

Use MFA all day, in every way. While MFA is not always made available by every application or website, it is becoming more commonplace. As some recent cyber incidents have demonstrated, MFA doesn’t provide 100% effectiveness at stopping security breaches. However, it significantly reduces the risk of account compromise in the majority of incidents, making threat actors work harder. Therefore, if you haven’t already, look for MFA on every site or application you use and enable it.

How to play with MFA. Multi-factor authentication can include various methods of providing an additional form of authentication beyond a password. The National Cybersecurity Alliance offers the following – some commentary has been added in parenthesis by WaterISAC’s Director of Infrastructure Cyber Defense, Jennifer Lyn Walker):

• A extra PIN (personal identification number)
• The answer to an extra security question like, “What’s your favorite pet’s name?” (Always provide a fictitious or even nonsense answer so it can’t be easily guessed)
• An additional code either emailed to an account or texted to a mobile number (SMS text-based MFA is the least secure method, but it is better than no MFA at all)
• A biometric identifier like facial recognition or a fingerprint
• A unique number generated by an “Authenticator App” (Authenticator apps are being adopted more and more, if you currently use text codes, check with the site or application to see if they allow authenticator apps such as Duo, Authy, Google Authenticator, Microsoft Authenticator, etc.)
• A secure token, which is a separate piece of hardware (like a key fob that holds information) that verifies a person’s identity with a database or system (The keyfob or FIDO (fast identity online) key is currently considered the most secure method of MFA)

Additional MFA Resources

• Multi-Factor Authentication (CISA)
• Multi-Factor Authentication (National Cybersecurity Alliance)
• Cybersecurity Awareness Month 2022: Enabling Multi-factor Authentication Key behavior: Multi-factor Authentication (NIST)

Additional Cybersecurity Awareness Month Resources

• Cybersecurity Awareness Month (National Cybersecurity Alliance)
• Cybersecurity Awareness Month (CISA)
• Five things to do to protect yourself online (FTC)
• See Yourself in Cyber: 4 Steps to Stay Safe (Tripwire)
• 5 Ways to Increase Your Online Security in 10 Minutes (PCMagazine)
• The Gate 15 Podcast Channel: The Gate 15 Interview: Cybersecurity Awareness Month 2022 with the National Cybersecurity Alliance, Auto-ISAC and FS-ISAC! Plus, background! shout-outs!! favorite movies, tigers, and more!!!
• The Gate 15 Podcast Channel: The Cybersecurity Evangelist Podcast – Episode 14, Do Your Part. #BeCyberSmart (from 2021)