COMMENTARY: In a world dominated by generative artificial intelligence (GenAI), automation, and advanced security platforms, many security pros might expect Cybersecurity Awareness Month (CAM) to spotlight modern security strategies such as threat intelligence feeds, AI‑powered malware detection, and zero‑trust architectures.However, there’s a much more practical reality. CAM’s Core 4 actions to stay safe online continue to emphasize the fundamentals, demonstrating the power of security basics to prevent attacks and proving that human behavior remains as critical as ever: use strong passwords, turn on multi-factor authentication (MFA), recognize and report scams, and run the software updates.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]These Core 4 actions may not sound revolutionary in the age of AI‑driven cyber defense and quantum safe cryptography, but they remain the most consistently effective measures for protecting both individuals and organizations against the vast majority of threats. Even the most sophisticated technology can’t protect against weak passwords, missed patches, or a user tricked by a convincing phishing email.With that in mind, here are tips for both organizations and individuals to put each Core Action into practice:
Go long and complex: Use at least 15 characters; passphrases of unrelated words (e.g., Giraffe-House-River-Garden-Orange) are both memorable and resistant to brute-force attacks and credential-stuffing attacks.
Keep it unique: Never reuse passwords across accounts; a breach in one service could compromise all accounts with the same password. Attackers increasingly weaponize stolen credentials across multiple services.
Make it unpredictable: Avoid using names, birthdays, or common dictionary words.
Automate security: Rely on a reputable password manager to generate and store strong, unique credentials at scale — whether it’s for enterprise applications or personal applications such as email and online banking.
Install app-based or hardware tokens: Deploy hardware tokens over SMS for stronger protection against SIM-swapping and phishing attacks. For maximum protection, adopt phishing-resistant MFA solutions such as hardware tokens (FIDO2) or passkeys.
Enforce MFA on high-value accounts first and expand broadly: For personal accounts, start with email, online banking, and social media, then apply MFA to shopping and health portals.
Use passkeys: It’s a passwordless way to sign in, using a secure digital key stored on a device and verified by something like a fingerprint or face scan.
Pause before acting: Check sender details, hover over links, and don’t download unexpected attachments.
Spot subtle red flags: Typos, unusual domains, or urgent language often signal a threat.
Report quickly: At work, alert IT or security teams immediately so they can block campaigns before they spread and prevent wider exposure or compromise. For personal accounts or systems, respond without delay by securing affected accounts (e.g. resetting passwords or enabling MFA) and notifying close friends and family to reduce the risk of them being targeted by the same attack.
Enable automatic updates where available.
Patch promptly after software vendors release updates prioritizing internet-facing components and those linked to actively exploited vulnerabilities.
Run firmware updates for routers, IoT devices, and critical hardware in both offices and homes—smart doorbells and Wi-Fi routers can be a target for malicious actors.
Core Action #1: Use strong passwords and a password manager
Passwords are often the first — and sometimes only — line of defense. To strengthen them:
Core Action #2: Turn on MFA
MFA adds critical resilience by requiring multiple factors — something you know, something you have, or something you are. Together, these layers make it exponentially harder for attackers to succeed:
Core Action #3: Recognize and report scams
Phishing remains one of the most pervasive attack vectors. Building awareness and speed of response are very important. Here’s how to do it:
Core Action #4: Update all software
Cybercriminals often exploit unpatched vulnerabilities in operating systems, browsers, and applications — particularly those with known exploits actively weaponized in the wild. A disciplined update routine closes known security gaps before attackers can exploit them:
Why fundamentals still rule
GenAI and automation are revolutionizing security operations — accelerating detection, triage, and response. But they are force multipliers, not replacements for good hygiene. A leaked password or unpatched system can still compromise even the most advanced defenses It’s also important for teams to empower the staff to act on these fundamentals confidently — pairing tools with targeted training.That’s why CAM continues to emphasize the Core 4. They are the bedrock of modern cyber resilience — for business and individuals alike. When organizations pair strong fundamentals with AI-enabled security tools, they achieve layered, adaptive defenses capable of handling today’s threats — and tomorrow’s unknowns. For individuals, consistently applying these same fundamentals builds a strong personal security posture — one that can thwart most every day cyber threats.The takeaway? Embrace the promise of AI, but never overlook foundational best practices. Cybersecurity success still starts with strong passwords, MFA, scam awareness, and patch discipline. Whether protecting a household, safeguarding a small business, or defending a global enterprise, the formula remains the same — pair disciplined fundamentals with AI-enabled defenses, and organizations can build resilience that scales. Go back to basics this October and make cybersecurity a priority all year long.Jack Cherkas, global chief information security officer, SyntaxSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
link