The NFL and college football are in full swing, pop-up Halloween stores are everywhere, and cooler temperatures can only mean one thing: it must be Cybersecurity Awareness Month!
The 2025 iteration of this annual event, co-hosted by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCSA) is a bit different. Instead of focusing solely on basic cyber hygiene topics, the theme is 'Building a Cyber Strong America', highlighting the need to strengthen the nation’s infrastructure against cyber threats, ensuring resilience and security.
CISA’s focus on critical infrastructure could not come at a better time.
As Trustwave, A LevelBlue Company, noted in its recent reports, Cybersecurity Challenges for Energy and Utilities in 2025, and new research on threats to the public sector, these areas are under attack with ransomware activity, phishing, and credential access attacks all on the rise.
This month, Trustwave will post a series of blogs starting with CISA’s basic security suggestions and then take a look at:
- The security issues facing critical infrastructure, including operational technology
- The role cyber insurance plays in creating resilience
- The role an MSSP can play in keeping an organization secure.
Let’s Get Down to It: CISA’s Best Practices
Trustwave will cover Cybersecurity Awareness Month from several angles, starting with CISA's recommended cybersecurity practices to protect your organization and improve resilience.
As always, CISA begins with the basics, which focus on making it as hard as possible for threat groups to gain a foothold in an organization.
1. Teach Employees to Avoid Phishing Scams
The 2024 Federal Bureau of Investigation’s (FBI) Internet Crime Complaint Center report found that the vast majority of crimes reported were related to phishing. The attacks totaled 193,407, more than double the next most common type, extortion, and three times the number of personal data breaches at 64,882. Business Email Compromise (BEC) complaints totaled 21,442, which were about on par with the previous year.
These phishing scams resulted in excess of $70 million in losses. However, BEC losses were listed at $2.7 billion, down from $2.9 billion in 2023.
Phishing tricks employees into opening malicious attachments or sharing sensitive information. Train staff to recognize and report suspicious activity.
Trustwave recently introduced its Managed Phishing for Microsoft service. This service can help the client educate workers on the finer points of email security. It achieves this by creating an end-to-end setup and managing phishing-related policies and rules, thereby minimizing the burden on internal IT teams.
Additionally, the team conducts regular, real-world phishing simulations tailored to each organization’s environment, helping strengthen user vigilance and reduce risk.
2. Require Strong Passwords
Strong passwords are a simple but powerful way to block criminals from accessing your accounts through guessing or automated attacks. Make them mandatory for all users because weak passwords can result in disastrous outcomes. Unfortunately, far too many people rely on easily hacked or simply foolish passwords.
To create a strong password, it’s essential to follow three key tips. First, make your passwords long, at least 16 characters, as longer passwords are generally stronger. Second, ensure they are random.
This can be achieved by using a random string of mixed-case letters, numbers, and symbols, such as “cXmnZK65rf*&DaaD” or “Yuc8$RikA34%ZoPPao98t”. Alternatively, you can create a memorable passphrase consisting of four to seven unrelated words, like “HorsePurpleHatRun” for a good passphrase, “HorsePurpleHatRunBay” for a great one, and “Horse Purple Hat Run Bay Lifting” for an amazing one.
Security.org offers a helpful password-strength tool to test the strength of your password. Please remember, if you choose to check your password’s strength, make sure only to use a trustworthy tool. Otherwise, you may well be giving your password to a threat actor who might quickly put it to use or place it into a password dictionary.
3. Implementing Multifactor Authentication (MFA)
Multi-factor authentication, sometimes called two-factor authentication or two-step verification, is a cybersecurity measure for an account that requires anyone logging in to prove their identity in multiple ways. Typically, you will enter your username, password, and then verify your identity some other way, like with a fingerprint or by responding to a text message with a PIN code.
Using MFA adds an extra layer of protection to an online account, making it significantly harder for an attacker to gain access. It is recommended, and generally very easy, to enable MFA, particularly for those related to email, social media, and finances. Utilize authentication apps or hardware tokens for additional security.
4. Updating Business Software
Outdated software can contain exploitable flaws. Promptly install security updates and patches to keep your systems protected.
To keep your software up to date, follow these three simple steps:
- First, watch for notifications from your devices about updates for operating systems, programs, and apps. Then ensure that you install all updates, especially for web browsers and antivirus software.
- Second, install updates as soon as possible when notified, particularly critical ones, as malicious online criminals won’t wait.
- Finally, turn on automatic updates so your devices can install updates without any input from you as soon as they become available. To enable automatic updates, check your device’s settings under Software or Security, and search for “automatic updates” if needed.
This is where Trustwave Managed Vulnerability Scanning (MVS) can help. It's a powerful tool designed to give you complete visibility into your network's assets and the vulnerabilities they harbor. This blog post delves deeper into Trustwave MVS, exploring its functionalities, benefits, and how it empowers you to build a more robust defense against cyber threats.
CISA also recommended several “next-level” practices organizations should implement:
- Use Logging on Your Systems: Log activity so your team can monitor signs that threat actors may be trying to access your systems. Learn how to monitor key information.
- Back Up Data: Incidents happen, but when you back up critical information, recovery is faster and less stressful. Put a backup plan in place that aligns with your organization’s recovery point objective to protect your systems and keep things running smoothly.
- Encrypt Data: Encrypting your data and devices strengthens your defense against attacks. Even if criminals gain access to your files, information stays locked and unreadable. Integrate encryption into your security strategy.
Don’t forget to stay tuned for our additional coverage in the coming weeks.
