Is Cybersecurity Awareness Month Anything More Than PR?
Cybersecurity Awareness Month has been going on since 2004. This year, Cybersecurity Awareness Month urged the public, professionals, and industry partners to “see themselves in cyber” in the following ways:
- The public, by taking action to stay safe online.
- Professionals, by joining the cyber workforce.
- Cyber industry partners, as part of the cybersecurity solution.
CISA outlined four “things you can do” to stay safe online for individuals and families, including updating their software, thinking before they click, using strong passwords, and enabling multifactor authentication on sensitive accounts.
The industry has been teaching security tips to employees and the public for a long time. With so much repetitive media and education on cyber awareness in the rearview mirror, the returning October focus weighs on many. Here’s a roundup of reactions to cyber month and traction from this year’s themes and messaging which should tell us if there’s more to the campaign than a public relations angle.
Top news from Cybersecurity Awareness Month this year
Sentiments about Cybersecurity Awareness Month 2022 range from mindfulness to meme-fulness, with sage advice and wisecracking commingled across sharp, clever news and interest pieces.
At the top of the pile sits a review of “The dread, sincerity and comedy of Cybersecurity Awareness Month” from The Washington Post.
The dread and comedy were mostly sarcastic tweets without acknowledging this year’s theme. Cybereason’s Ken Westin tweeted that awareness month was created by Hallmark to sell more greeting cards.
There was some backbiting, too. Cybersecurity reporter Sean Lyngass tweeted that Cybersecurity Awareness Month is full of PR pitches capitalizing on security breaches. Anne Cutler, PR executive at Keeper Security, replied, “You are mistaken. It’s actually called Cybersecurity PR teams will hold no prisoners and raise awareness whether you like it or not month. You may now consider yourself aware.”
The Register took a sobering look at awareness month and its inherent challenges in the “National Cybersecurity Awareness program 18 years on: Don’t click that.”
It echoed the frustration in keeping cybersecurity awareness technical enough to be useful yet simple enough to understand. Industry participants need to move beyond “think before you click” without losing their audiences and any effort the public is already making to avoid phishing.
The Register expressed the need to make employees with little cybersecurity knowledge more like full-fledged security professionals. That will not happen soon. However, when the story encapsulated the thrust of See Yourself in Cybersecurity—though security is complex, it’s up to individuals to make it work—that made sense.
The Register points up people are the solution because people are the problem, with over 80% of breaches involving the human element, including people falling for phishing attacks.
According to the Register, Seeing Yourself in the Cyber Workforce reminds organizations hiring cyber staff that training funding is increasing. They should use it for new hires and professionals who have gained experience since last year’s training.
Forbes revealed a trove of unfortunate cyberattack trends in “For Cybersecurity Awareness Month (and Halloween)–Some Scary Cyber Threat Stats.“
Cybersecurity Awareness Month hasn’t had a measurable effect on breach trends. Breaches are increasingly common and severe. Phishing was the worst in Q2 2022, with over 1 million attacks.
Forbes notes that nation-state attacks aren’t just for critical national infrastructure, with 64% of businesses saying nation-states have hacked them. Still, industrial control systems and OT are in more danger than regular IT assets.
Advice implementation from Cyber Security Awareness Month 2022
The CISA “four things you can do” initiative for the 2022 Cybersecurity Awareness Month, including updating software, thinking before they click to prevent phishing, using strong passwords, and enabling multifactor authentication was publicized aiming to influence end-user behavior toward better security practices. But does directive advice like this actually work?
The Register clarifies that the success or failure of Cybersecurity Awareness Month rests with how you measure it. The cyber month hasn’t worked if you expect cybersecurity to be solved. If you hoped that people and organizations would take cyber more seriously, then awareness month is a success.
Cybersecurity Awareness Month and “the things you can do” worked well enough. The most resonant thing to do was to find a more effective people-based solution to phishing beyond “think before you click.”
Under the surface of the Post article, voices on Twitter clarified that phishing education, such as finger-pointing lectures and surprise phishing tests, is unwelcome.
CISA wants industry partners to see themselves as part of the solution, working together to build a secure and resilient technology ecosystem. By engineering products to be secure by design, they can collectively reduce risk and protect the critical infrastructure Americans count on.
In his Forbes article, Chuck Brooks points out that, despite awareness month, the energy sector and the electric grid are at significant risk of attack. Securing critical national infrastructure against nation-state hackers, such as those who attacked Colonial Pipeline, is challenging. It must be a public and private sector priority, as CISA has endorsed.
How can we improve Cybersecurity in 2023 beyond a PR effort?
Going beyond Cybersecurity Awareness Month means organizations are responsible for their end-users cybersecurity education, but there are also technical solutions that can solve for bad end-user behavior and still safeguard your organizations’ IT security. A few quick wins to do asap:
1 — Patch your software
Organizations can see software updates as costly, and many avoid updates, so they don’t break applications that run on the software. But to meet cybersecurity objectives in 2023, organizations must patch their software as soon as updates are available.
2 — Block the use of known breached passwords
By scanning Active Directory for password-related vulnerabilities with Specops Password Auditor, organizations can identify the use of over 900 million weak and breached within their Active Directory. Hackers use stolen credentials in attacks on critical national infrastructure. Password audits ensure those breached passwords aren’t in use in your organization.
3 — Audit the security level of the 3rd party apps you’re using
A recent report found that popular work-related apps have some major security gaps when it comes to passwords and MFA. Take inventory of what web applications your organization is trusting and make sure MFA, or at least 2FA, is enabled for your end users.