An Expel guide to Cybersecurity Awareness Month 2022


Fall is in the air, which can only mean one thing: Cybersecurity Awareness Month is here.

Every year, the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA) use October to share information and important resources to help people stay safer and more secure online.

It’s a favorite for us at Expel because it’s about education and awareness at a time that isn’t a reaction to the cyber-threat or attack du jour. Instead, we can take a step back to share information and resources within the defender community and anyone with an online presence—which, let’s face it, is just about everyone.

Expel is also a proud Champion of Cybersecurity Awareness Month 2022—a collaborative effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations, and individuals committed to improving online safety and security for all.

This year, the CISA and NCA are promoting four key security behaviors to help equip everyone, from consumers to corporations, to better protect their data. To support this initiative, we’ve curated some Expel resources to help your organization improve its cybersecurity posture—this month, and beyond.

1. ICYMI: always enable multi-factor authentication (MFA), but also have a back-up plan.

At this point, enabling MFA (when available) should be a no-brainer. But, we also know that MFA isn’t always a silver bullet for protecting your environment. Our security operations center (SOC) has seen examples of this in the wild. We’ve responded to phishing attacks that used a man-in-the-middle tactic to send users to a fake Okta login page. (Check out how it went down here.) We’ve also seen attackers use BasicAuthentication to bypass MFA and target access to human capital management systems.

Based on these novel incidents, here are a few lessons learned you can apply to your own organization:

  • Deploy phish-resistant MFA wherever possible. If FIDO-only factors for MFA are unrealistic, disable email, SMS, voice, and time-based, one-time passwords (TOTPs). Instead, opt for push notifications. Then configure MFA or identity provider policies to restrict access to managed devices as an added layer of security. (More on this in our Quarterly Threat Report for Q2 2022.)
  • Enforce MFA prompts when users connect to any sensitive apps via app-level MFA. Don’t let your sensitive apps (think: Okta, Workday, etc.) be a one-stop shop for attackers.
  • To take it a step further, tell your users to always review the source of the MFA request (if via push notification) to verify the login isn’t from an unusual area—and if it is, encourage your people to report strange requests.
  • Finally, be wary of brute force MFA requests, which involve an attacker continuously sending push notifications to the victim until they accept. Let your users know this is something to watch out for.

2. Don’t rely on your memory or Sticky Notes to keep track of all your passwords.

This year, a global survey conducted by open-source password manager, Bitwarden, revealed that 55% of people rely on their memory to manage passwords. Of those surveyed, only 32% of Americans were required to use a password manager at work. We know that memory can be fickle at best. Password managers are a great way to keep organized for anyone creating multiple (if not dozens) of usernames and passwords to do their job, but they can be difficult for your IT team to enforce. Instead, many businesses opt for a single sign-on (SSO) solution to allow employees to sign into an approved account one time for access to all connected apps.

However, easy access for users also makes SSO services a popular target for attackers—it’s part of the reason business application compromise (BAC) attacks are evolving. Regardless, it’s never a bad idea to encourage employees to create strong, unique passwords for different sites/apps, and of course—we can’t say this one enough—enable MFA whenever possible.

Want to be able to forget your passwords? Installing a password manager will help generate strong passwords, keep your accounts safer, and save you from memorizing countless strings of characters. Plus, it makes it easier to deal with constantly changing passwords for sites whose accounts have been compromised.

BTW, we’ve compiled more tips for maintaining security and privacy at home for remote workers (because, let’s face it, that’s most of us these days), as well as effective ways to encourage more secure behaviors.

3. Stop ignoring that “software updates available” notification.

For security professionals, this might sound like an obvious one, but patching and updating software regularly can help prevent attacks. Vendors are constantly plugging security holes and patching bugs, some of which might represent entry points for attackers. A lot of operating systems and app stores will do this for you automatically, but keep an eye on those notifications prompting an update—pushing it off might be convenient now, but cost you down the line. Updates to web browsers are particularly important, so try to install those right away.

So how do you ensure your team keeps up with these updates? Try a combination of gamification and education. Entering employees into raffles for gift cards or other perks for applying OS updates is a generally inexpensive way to reduce risk for your organization and keep folks happy. (FYI: more tips like this from industry leaders grappling with similar challenges from Forbes, including this same sage advice from our own co-founder and CEO, Dave Merkel.)

4. Help your organization avoid taking the bait on a costly phishing scam.

Recognizing and reporting phishing schemes is one of the first lines of defense when it comes to protecting your organization. We’ve seen this in our SOC on countless occasions, from attackers targeting Amazon Web Services (AWS) login credentials, to malware-poisoned resumés aimed at job recruiters—and everything in between. We’ve also seen how these campaigns can reveal larger, more malicious business email compromise (BEC) attacks if they aren’t stopped in their tracks (get the full rundown on that incident here).

Fortunately (or not), Expel’s Phishing team reviews hundreds of emails a day and thousands of emails weekly, so we’ve picked up a few things about how to protect your organization, including:

  • Prevention starts with proper training. Make sure employees learn to recognize potential red flags associated with phishing emails when they land in their inbox. Even if this means an investment on your part, it’ll pay dividends in the long run.
  • Spend time on education for specific business units on the phishing campaigns that might target them. Finance teams might encounter financial-themed campaigns with subject lines, such as “URGENT:INVOICES,” while recruiters may see resumé-themed lures.
  • Once they know what to look for, make it easy for people to report suspicious activity. An effective way to do this is through a system for employees to validate suspicious emails or texts. This allows IT to provide guidance to the individual, and gives security team members enough insight to identify trends to sniff out a larger scale attack early on. (More on preventing these scams like this here.)

We know. There’s a lot to unpack here, and there’s probably more we didn’t include for the sake of space and your sanity. But hopefully these resources provide a glimpse into some of the ways you can help your organization toward an overall better security posture—even after October.

We’re just getting started for Cybersecurity Awareness Month. Check out our #BeCyberSmart resources for curated content to follow along.