October marks Canada’s Cybersecurity Awareness Month, a reminder that online safety isn’t a one-time exercise, but a set of habits safeguarding your future self. This year’s theme, ‘Get cyber safe – for future you’, highlights how to keep yourself safe from the variety of cyber threats both commonly faced and new to come in our digital world. Negligence is the leading cause of cybersecurity incidents, with 95% having been caused by human error. Looking at how threat actors take advantage of that error may provide a better understanding of why good practices shouldn’t be brushed off.

Week one emphasizes passwords and password managers. Short, simple passwords can be broken in seconds, while longer, complex passwords are more robust. Re-using even a strong one across multiple accounts still imposes serious risk, such as after a database breach. Though stored securely as hashes, stolen passwords will still be found and tested on other platforms, a tactic known as credential stuffing. Utilizing a password manager that generates strong, unique passwords for every account ensures losing passwords is never a worry. Even if one account is compromised, all others will still be safe.

Week two focuses on smart devices, data backups, and public networks. Public networks can host a variety of dangers, but their convenience and utility often leads to risks being overlooked. One of these risks is called an ‘evil twin’ attack, an untargeted attack that copies the identifiers of a public network and boosts the network’s strength to overpower the original. An original network is not always necessary, and the attack can be executed by taking advantage of users with autoconnect enabled for public Wi-Fi, especially those with common names. The connection allows attackers to monitor all web traffic and keystrokes, and to install malicious software onto the connected device. A Virtual Private Network or VPN will always be a strong defense against this manner of attack. Traffic data is encrypted, protecting personal information and data against interception.

The third week concerns evolving cyber threats, such as quantum computing. The main consideration is the potential impact of quantum computing on the digital landscape. The emerging scientific consensus is that practical quantum computers are coming and may render modern internet security standards obsolete. Internet encryption relies on complex algorithms infeasible for modern computers to solve, but quantum computers will make the task significantly easier. As a result, private messaging, online banking, cryptocurrency, and many more systems will need to transition to post-quantum encryption. Implementation will likely be costly, as infrastructure changes, new cybersecurity training, and developer adjustment will all be needed. Though individual capacity to prevent quantum attacks is limited, awareness and support for making necessary changes are vital to keep the future internet safe.

Week four is all about safe downloading practices, the use of anti-virus software, and spotting AI. Impersonation attacks have a reputation of being relatively harmless to most, a notion well reinforced by frequent, poorly written scam messages many people receive. It is important to note, however, that obvious attempts are intentionally designed to be obvious. These messages and emails are delivered in mass quantities, even if only a small fraction respond, they are the most susceptible to complying with the rest of the scheme. Indiscriminate phishing isn’t the sole method of modern impersonation attacks; one scheme gaining popularity involves researching a target, their friends, family, and their coworkers. By stalking social media, publicly accessible information, and even leaked personal data, AI can be fed a target’s speech pattern, voice, appearance, and life details. The AI impersonator perfectly replicates chosen individuals, enabling a variety of scams to be carried out. The chosen method will be tailored to the target and employed the moment the impersonated individual will be unable to respond. As an individual, adopting good habits is vital to personal safety, and as a manager, ensuring employees receive regular training on both general and role-specific cybersecurity standards will prove invaluable.

Week five concerns the importance of updates and sharing cybersecurity advice within the community. With Windows 10 reaching end-of-life on October 14th, it’s a great opportunity to stress the importance of updating devices. Upon discovering a vulnerability, unethical hackers sell code to abuse them on online black markets. Such an exploit is coined a ‘zero-day’, as when a zero-day is deployed in a cyberattack, developers and cybersecurity professionals have had zero days to patch it. Attacks with this method often combine multiple zero-days, and attaining them can incur a cost ranging from tens of thousands to several million dollars. Targeted zero-days do not pose risks for individuals or smaller organizations, but danger can arise when devices are not updated after a zero-day is used. Though the latest patches will remove the vulnerabilities, many threat actors rely on a wide range of targets delaying the newest update to use the newly public vulnerability.