Cybersecurity is a year-round effort that takes place in the background. Mostly.
It comes into the spotlight in October.
For the 19th year in a row, the nonprofit National Cybersecurity Alliance has designated October as National Cybersecurity Awareness Month. To mark the occasion, the alliance reminds businesses and consumers of best practices to use in a network environment where thieves, fraudsters and other mischief makers lurk.
These bad actors can include hackers working for nation states, or criminals who have found a home in countries that look the other way.
In one recent instance up the coast, hackers infiltrated the Los Angeles schools’ computer system and demanded a ransom. According to media reports, the hackers made the information public when the schools said they would not negotiate.
The web is not kind to those ignorant of such perils.
It doesn’t matter what business you are in. “Cybersecurity is now everyone’s business,” said Lisa Easterly, president and CEO of the nonprofit Cyber Center of Excellence (CCOE) in San Diego.
Four Key Practices
Knowledge is power, and this month the National Cybersecurity Alliance will be reminding the public of four key practices. They are:
- Enabling multifactor authentication
- Using strong passwords and a password manager
- Updating software, and
- Recognizing and reporting phishing.
This article offers a look at the first of these, multifactor authentication.
Security in Layers
“Having a password and username is not sufficient anymore,” said Scott Zoldi, chief analytics officer for FICO in San Diego.
“The best security practice is using security in layers,” said Miguel Sampo, senior director of global sales with RiskRecon, A Mastercard Company. Sampo is based in North County.
Multifactor authentication requires a person to prove their identity in several ways before they can have access to a computer or a website.
In one common instance, a website with multifactor authentication might have a person enter a username and a password. If that is successful, the website will independently send a numeric code or some other unique message to a known device, such as a smartphone, and have the person relay that code back to the website.
“If you stole my username and password, you also have to be able to compromise my mobile” to gain entrance, Zoldi said.
He noted that cybercriminals can buy compromised usernames and passwords.
“The more factors you leverage to authenticate a user, the safer the interaction is,” Zoldi said.
The federal government’s Cybersecurity and Infrastructure Security Agency describes multifactor authentication with the phrases something you know, something you have and/or something you are.
Something you know can be a PIN number or some other kind of password.
Something you have can be a code received via smartphone or another device.
Something you are can be a fingerprint or a face scan.
Multifactor authentication can be traced back to a device distributed by RSA a few decades ago. The device on a key fob generated a number that changed periodically. To gain access to a computer account, an authorized person would need to punch in that number along with their other credentials.
“I still have key fobs myself,” said Zoldi.
Today, other tech companies offer similar services — some on a smartphone. The ability to authenticate via a smartphone has made things easier, said Sampo, the businessman with RiskRecon.
Since such technology is more common, the cost of using it has come down. “There’s no reason organizations should not be using it,” Sampo said.
Links in the Supply Chain
Cybersecurity is an ever-present concern in the supply chain. Think about suppliers tapping into sprawling corporate computer systems running enterprise software from vendors such as SAP or Oracle, Sampo said. In such cases, a company may give a vendor access to an inventory program.
If one vendor’s system is not secure against hackers, its can turn into an attack vector for the client corporation’s system.
In such a case “we should absolutely look at security in layers,” said Sampo. Conversations with vendors regarding security are a must.
Sampo’s employer helps companies get an idea of how secure their systems are. RiskRecon evaluates a computing environment and generates a security score, which is similar to a credit score.
A San Diego Specialty
Cybersecurity is central to the business model of several enterprises and organizations in San Diego County. Indeed, the region has a robust cybersecurity cluster. At the center of the cluster is NAVWAR, the command in charge of the U.S. Navy’s information technology, which employs thousands of people. Many of them have advanced degrees.
“San Diego’s cyber cluster now accounts for 24,000+ jobs with more than 870 companies and NAVWAR. It contributes $3.5 billion annually to the regional economy. That’s equal to hosting nine Super Bowls or 23 Comic-Cons,” said Easterly of CCOE. The locally based nonprofit mobilizes businesses, academia and government to grow the regional cyber economy and create a more secure digital community for all.
That, Easterly said, is good news: “This collaborative ecosystem is developing new technologies, defenses and cyber warriors to combat the ever-evolving threat landscape.”
National Cybersecurity Awareness Month is a project of the National Cybersecurity Alliance, a nonprofit overseen by major businesses, as well as the federal government’s Cybersecurity and Infrastructure Security Agency.