By John Hewie, National Security Officer, Microsoft Canada
For this blog post, Get Cyber Safe has partnered with Microsoft, who, like us, understands how important cyber security is to businesses as well as individuals. This blog presents their perspective, and we thank them for being a dedicated partner in the cyber security of Canadians.
October is Cyber Security Awareness Month (CSAM), a time for everyone to reassess the safety of their online accounts, devices and connections (like Wi-Fi) whether you’re working from the office or at home, learning in-class or remotely, or running a small- or medium-sized business. This is because ensuring our identities, devices and networks are protected against security threats by using the right technology and adopting “cyber safe” behaviour is critical to keeping sensitive information private and secure.
At Microsoft Canada, we support the Government of Canada’s Get Cyber Safe public awareness campaign. Get Cyber Safe is an initiative to inform Canadian citizens and businesses about the simple steps they can take to stay safe online. The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2020 indicates that “cybercrime continues to be the cyber threat that is most likely to affect Canadians and Canadian organizations.” Protecting ourselves, our homes and our organizations is imperative. Thankfully there are actions we can all take to keep us safe today.
Securing a hybrid work force
The growing complexity of the threat landscape paired with rise in popularity of hybrid work models – where there’s a mix of employees working in the office and remotely – is driving the need for both people and organizations to review and enhance their cyber security practices.
As highlighted in Microsoft’s 2021 annual Digital Defense Report, there’s a substantial difference between digital infrastructure that supports employees taking laptops home to simply check email, and a complete hybrid cloud architecture designed for a significantly remote workforce. Security best practices such as multi-factor authentication (MFA) for users, keeping devices resilient from malware and installed with the latest software updates are a must but should considered within a more holistic “Zero Trust” strategy.
Over the years, Microsoft has embraced this modern approach to security called Zero Trust, which is based on three principles: 1) verify explicitly, 2) use least privilege access and 3) assume breach. This approach protects our company, as well as the people and organizations that use our products by managing and controlling access based on the continual verification of identities, devices, and their requests to application services. Our new work environments operating outside the traditional network perimeters are introducing expanded attack surfaces, complexity and risk. A Zero Trust strategy should be top of mind for many organizations, because these principles can help maintain security amid the IT complexity that comes with hybrid work.
Securing the digital home
Our home Wi-Fi network is a critical part of supporting the digital family life for many Canadians, whether it’s kids attending online school or doing homework, working remotely, online banking, scheduling appointments, online shopping, and the list goes on. Ensuring those online experiences are as safe and secure as possible requires some learning and action. The recommendations below highlight and expand on the Get Cyber Safe steps to protect yourself online.
Get to know your home router
When you subscribe to home internet service, your service provider will typically provide you with a device that is both a broadband modem and router. The modem part of the device is fully managed by your service provider, so you have nothing to do there. The router portion of the device is where you will be able to control the security settings of your home network.
- Read the manual that came with your router and learn how to login to the web configuration portal. This will be the administrator account for the router. If the manufacturer has configured a default and simple password, make sure to change it to a strong and unique password (see passwords section below for tips).
- Review your Wi-Fi security settings and use the latest WPA protocol that both your router and devices support. This will be WPA 3 or WPA 2, or some hybrid mode. Set up a strong and unique password for accessing the Wi-Fi.
- Consider using a free domain name server (DNS) service, such as CIRA Canadian Shield, that offers malware and phishing protection and optionally blocks adult content for all devices on your home network. By default, your router will be configured to use your service provider’s DNS which typically does not have built-in security protections. Make sure you understand the privacy policies when choosing a DNS provider to ensure it aligns with how you might want your internet usage data being used.
- If your router has advanced capabilities, you might want to consider creating a separate Wi-Fi network, a guest network, for your smart (IoT) devices in your home. Often, smart devices such as internet connected lightbulbs, garage door openers and thermostats aren’t designed with security in mind and don’t receive regular automatic software updates. They can become easy targets for cyber criminals as an entry point into your home network.
Secure your identities and passwords
The reality today is that everyone has numerous user accounts and passwords for work and personal life that they need to manage. Trying to implement the best practices by creating complex and unique passwords for each account can seem like a daunting challenge. According to Microsoft, there are an average of 579 password attacks across the globe every second – that’s more than 18 billion a year. Many will often use weak passwords or the same passwords for multiple accounts, which makes it easy for a cyber criminal to compromise an account. Many users also create passwords that have a connection to their personal lives, so a quick scan of someone’s social media accounts can easily give cyber criminals the information they need to log into a person’s account. Every user in the family needs to have strong, unique passwords across their multiple accounts to better protect against online threats.
Here are some simple steps to protect your important identities and improve security of your passwords.
- Enable Multi-Factor Authentication (MFA) or Two-Step Verification on all of your important accounts. This single action would prevent the vast majority of account compromises Microsoft sees in its online services, even with continued use of weak passwords. Secondary security options should be considered the basic standard and best practice – and most every service today offers this option. Remember most “cyber criminals don’t break in – they log in”.
- Everyone manages so many different user accounts today and creating and remembering your passwords can seem like a full-time job. Using a trusted password manager can help keep your passwords organized and secured. We also recommend using a password health dashboard.
Backup your important data
Cloud storage, such as Microsoft OneDrive, is a great solution to back up your important files. If you lose your device, you’re less likely to lose your important files and photos. OneDrive has a recycle bin to recover from accidental deletions and Windows Defender and OneDrive work together to help detect and recover from ransomware. There is also a Personal Vault feature to provide added protection for your most sensitive personal information. An offline backup copy of your most important data is also always a good practice as a last resort if you need to recover your files. External hard drives and external storage such as USB, CDs or DVDs are also suitable options for backing up your data. You should also back up your data in more than one place, such as in cloud storage and on an external hard drive.
Conclusion - Stay vigilant
CSAM serves as an important reminder to review the steps we are taking to ensure our own digital security. Every Canadian business and individual should consider themselves a potential target and do what they can to take the necessary steps to lower their risk.