Cybersecurity best practices for National Cybersecurity Awareness Month
Cybersecurity is a topic that many people are still learning about, and it is important to stay up-to-date on online safety best practices. As digital citizens, it is our duty to act responsibly because no matter how secure a platform is, a simple mistake can lead to dangerous situations for ourselves or others. That is why October is Cybersecurity Awareness Month, the perfect time to share tricks and tips on how to stay secure — both as users and administrators — in an online world. Remember that all the following information is provided in good faith, however, your internal Security/IT department may have set up different rules — follow their guidelines!
General rules that apply to any website or system
- Do not click on suspicious links in emails, forums, blogs, or other websites. Remember that even if the link looks safe, if you hover over it, you will see where it leads, and it might be a completely different website, like this: example.com.
- Never share your personal information in a reply to an email originating from an unknown address you do not know or trust. Almost a fifth of organizations that were breached by cyber attackers last year fell victim to phishing.
- Do not download files from an unknown source, or open an attachment from an unknown sender. Something that looks like an invoice or receipt might infect your PC if you open it.
- Log in to your corporate systems only on your work computer, and use it only for work-related activities.
- Only plug trusted hardware into your computer. A USB stick or mouse that you accepted as a gift from an untrusted source might contain malware.
- Keep your software updated! Old versions may contain knowns bugs/exploits, that are patched in the next release. This is especially important for apps that connect to the internet (browser, Anaplan Connect, smartphone apps).
- Use two-factor authentication (password + app on smartphone, physical key, token) wherever possible. This adds an extra layer of protection in case the attacker knows your password — without a second factor, they will not be able to log into your account.
One of the most important things you can do to keep your personal information safe is to properly manage your passwords. There are a few universal rules that you can apply to your password policy:
- Use strong passwords. “Strong” is a relative term in this context, as in some applications ten characters might be enough, but in other cases, a short password can be broken in a few minutes.
- The more complicated, the better! Increasing length, complexity, and set of characters used in a password improves security and eliminates threats like a dictionary attack.
- It is usually much better to have a long password with only letters (that might be easier to memorize) versus a short one with special characters.
- Never share passwords to your accounts.
- Even the support or customer service team of the platform in which the account is created should never ask you for your password.
- If someone else needs access, they should get their own account. Otherwise, they can execute actions in your name which means you will be accountable for any outcome.
- Do not reuse passwords. Each account you have across various websites should have a different password. This means that even if one site leaks passwords or gets hacked, your other accounts will still be secure.
Use a password manager
If you follow the rules and set up long, complicated passwords, different for each account, it can be challenging to manage them all. Currently, the best solution is to use a password manager. This service allows you to store your credentials to different accounts securely, and to use it you only need to remember one master password. There are many different providers on the market; most of them have free plans for personal use. The advantages of a password manager are:
- Each account has its own password, which should be as complicated as the app allows. You can have passwords that are tens of characters long, with many different characters, which makes them unbreakable.
- You can have your password vault synchronized to multiple devices, easily exported and imported.
- Most of them allow for autocompletion — logging in will be much faster, and you will never make a typo!
- Many services include a browser extension or mobile app, and can automatically detect the site or app you are trying to access. This means that even if you will be tricked to go to the “fake site” (so-called website spoofing), the password manager will not recognize it as a valid site for this account, and will not fill the login form, signaling that it's suspicious and protecting your credentials from leaking.
- Many password managers offer extra security features, like auto-generated passwords, and checking if your password has been found in a list of publicly available leaks.
Anaplan administrators, keep your users and data safe!
Administrators can help their users stay safe and should react to threats promptly. There are some tools in Anaplan landscape that help in this area:
- Use ALM (Application Lifecycle Management) and workspaces for separate environments (Development, Test, Production).
- Use security mechanisms (roles, selective access, and dynamic cell access) on the model level to give users only the access they need.
- Use SCIM API and import to the users tab to automate user management. When employees leave, deactivate their accounts at once. Also, reducing the human factor for access management increases the reliability of the entire process and reduces manual work.
- Optionally, you can use Bring Your Own Key (BYOK) to encrypt data stored in Anaplan in a way that you will own encryption keys.
- Use Audit API to monitor suspicious behavior (i.e. switching of SSO, logging in from new IPs, BYOK events).
Anaplan takes security seriously and makes sure that the platform is secure and customer data is properly protected. You can read more at trust.anaplan.com.
It is important to know what you can do to protect yourself, your company, and your employees. I hope this article helped strengthen your cybersecurity habits, raised awareness about online threats, and clarified topics that might have been unclear for you until now.
What other cybersecurity best practices would you add to this list? Leave a comment!