In 2004, October was deemed National Cyber Security Awareness Month (NCSAM). This was an initiative promoted by the National Cyber Security Division (NCSD) within the Department of Homeland Security and the National Cyber Security Alliance (NCSA, a non-profit organization). It’s been 14 years since its inception, has it worked? Are we more aware of the perils in the world of cyber security?
The reality is that there are various studies that have been conducted over the last number of years about whether the average person would give up their password for a piece of chocolate, share their passwords, or install any sort of protection on their mobile devices and so forth. Based on the myriad of studies out there, it’s clear we still have to keep cybersecurity top of mind.
It’s not surprising that a look at the headlines each week shows a constant barrage of breaches, ransomware, state-sponsored attacks, and new malware threats. But, when we get a text from a friend or parent with a link that says, “check this out!” – how many out there are pausing for a second to think, “Wait, what is this? Is this really from my friend? Should I click on this?” The answer is likely one that we don’t want to hear.
Where does this leave us? More importantly, if you are responsible for protecting your organization against cybersecurity threats, how does this impact you? We need to do a better job of explaining risky behavior to our employees and showing them why it is not only risky for the company, but also to themselves, personally. In medicine, when fighting a disease they often refer to “herd immunization,” where as long as most people are protected against the disease, the general prognosis is good for everyone overall. Unfortunately, that doesn’t work in cybersecurity.
We need everyone in the organization to be vigilant, because if a hacker gets access to just one employee’s account and they successfully extract customer, patient, or citizen data, a breach of that scale is going to affect everyone in the organization. One simple click could start a chain of events that leads to loss of revenue, fines, job cuts, reputational damage, and more. Now that the lines have been blurred between corporate devices and personal devices, it’s more important to discuss protecting all your devices, not only work-issued devices.
Assuming all the end users at your organization don’t adopt perfect cybersecurity behavior tomorrow, what should you do?
You can take these steps to ensure you are doing everything you can for when something happens:
Least privilege – only grant the access that individual employees need to do their respective jobs, and only when they need it. By enforcing multifactor authentication (MFA) for sensitive applications, it means that should a user’s account credentials fall into the wrong hands, the bad actor will be less likely to access those sensitive applications.
Learned behavior – test your employees with phishing emails. For example, send a fake request to reset their password, or an email relevant to their role in the company to get them to click a link, that then alerts and educates them that they failed a cybersecurity test. Teach them about their risky behavior before someone else does, the hard way.
Layers of security – most of us have layers to protect our house. It may be a motion sensing light outside, a lock on your door, perhaps an alarm system. The same approach should be taken at your organization when it comes to cyber security. Apply protection to the endpoints, identity governance for access entitlements, and a security information event management (SIEM) solution to also monitor activity.
Everyone always asks what’s that one silver bullet they can use to protect themselves. The reality is there isn’t one single technology – it’s an overall approach and employee and user education, and it doesn’t just happen one month of the year. While it’s great that October is National Cyber Security Awareness Month, we should think of every month as cyber security awareness month.