Cybersecurity best practices for Cybersecurity Awareness Month … and every month

Cybersecurity month reminds us that effective security is not just about technology — it’s about people and habits. Every individual is a vital part of defending against malicious actors. Below is a good framework to reinforce the effective habits that keep us all secure.

1. Be your own gatekeeper

The vast majority of cyberattacks begin with a deceptive message (phishing). Your email and text message inboxes are the primary entry point, and the best defense is your diligence. Pause and look for these warning signs before you click.

• Unexpected requests: Pause on any unusual request for credentials, financial information, or gift cards, even if it appears to come from a known colleague.
• The lure of urgency: Be suspicious of any message that creates pressure with threats or urgent demands, like “Your account will be suspended” or “Immediate action required.”
• Suspicious links & senders: Hover your mouse over any link to see its true destination before clicking. Look closely at the sender’s email address — is it misspelled or slightly different from what you expect?
• Generic greetings & odd language: Be wary of emails with vague greetings like “Dear Valued Customer” or those containing unusual grammar and spelling mistakes. (Though it’s worth remembering that malicious actors are actively using AI to improve spelling, grammar, and general messaging in their attacks, so the classic phishing email with mangled English is probably a thing of the past.)

What you can do: When in doubt, trust your gut. Do not reply, click any links, download attachments, or enter credentials when prompted. Flag the message as spam/junk (which helps your email service learn what not to trust). And if the message came from someone you know, reach out to them in another way (e.g. text, phone, Slack) to let them know they may have been compromised.

2. Secure your access

Your credentials are the keys to your digital life and your organization’s data. Protect them accordingly.

• Use strong, unique passwords: Best practice is to use a unique, long password for every single service, so that if one of your passwords leaks it won’t expose you further. Since it’s impossible for anyone to remember that many passwords, a password manager is an essential tool to create and store unique passwords.
• Enable multi-factor authentication (MFA): MFA adds a critical second layer of security, requiring a code from your phone or another device along with your password. It is one of the most effective defenses against account takeovers. If MFA is an option, turn it on — always.
• Upgrade your MFA: Not all MFA is created equal — some methods are more secure than others. For critical services, ditch those text codes and upgrade to an authenticator app or push verification.

What you can do: Create a good password regimen for yourself, and get your organization to roll out a password manager for everyone.

3. Protect your workspace

Your digital hygiene — how you care for your devices and data — has a direct impact on collective security, whether you are in the office or working remotely.

• Lock your screen: If you step away from your computer, lock it. This simple habit prevents unauthorized access.
  • Windows: Windows Key + L
  • Mac: Control + Command + Q
• Beware of public Wi-Fi: Treat public networks at cafes, airports, and hotels as untrusted. Avoid accessing sensitive information and use a company-provided VPN or your personal cellular hotspot whenever possible.
• Handle data mindfully: Be conscious of where you store and how you share confidential information—whether it’s client data, financial records, or internal strategy. Use only company-approved applications and storage solutions. Work-related materials should always be stored in shared drives.

What you can do: Set your computer to lock automatically after a short period of inactivity. Your organization should be enforcing an automatic lock with policies deployed by professional device management.

4. Report concerns promptly

A strong security culture is one where everyone feels empowered to speak up. Your quick action can be the difference between a minor incident and a major breach.

• Mark it: When you get suspicious email, mark it as spam/junk. Your email provider lets user input like this guide its assessment of other email in the pipeline, helping to keep you, your colleagues, and even complete strangers safer.
• Report it: Let your IT support team know when you get something out of the ordinary or when you are getting more phishing emails than usual — a more coordinated response might be appropriate.
• Spread the word: Let your colleagues know via your internal chat when you see phishing emails to make sure they are paying attention to their own inboxes.

What you can do: Challenge your colleagues to share in your internal chat the most ridiculous phishing attempts they receive. Make it a game, give a prize to the winner at the end of the month — anything to help keep everyone paying attention.