This year marks the 20th anniversary of Cybersecurity Awareness Month (CSAM), so it’s only appropriate to take stock of how far the industry has come in terms of raising awareness.
While it feels like cybersecurity has become more mainstream over the past few years, it’s not solely because everyone has become better at protecting themselves online. High-profile breaches like Uber, Twitter and, more recently, Las Vegas casinos have raised the newsworthiness of incidents. The pandemic’s impact on accelerating remote work has also made cybersecurity even more of a necessity for businesses and individuals.
But those of us in the industry understand that there’s still a long way to go to actually raise awareness of good cybersecurity practices, rather than curating an “it will never happen to me” attitude among the public. In that sense, 2023 doesn’t look very different from years past.
Common Challenges With Cybersecurity Awareness
We should still be encouraging the same things each year that will make a big difference, and that’s all about people staying on top of their basic cyber hygiene, such as installing security patches, adopting strong and unique passwords, enforcing multi-factor authentication on their accounts and hovering over links before clicking on them.
On the flip side, phishing tests and the “punishment training” for failing those phishing tests may be the least impactful techniques that businesses still practice in 2023. While it’s admirable and worthwhile asking staff to be on the lookout for phishing emails and other threats (“see something, say something” style), relying on folks to be able to tell the difference between normal email and phishing is a fool’s errand.
With advances in generative AI made over the last year, social engineering scams—which 98% of cyberattacks are based on—are about to get a whole lot harder to discern, as attackers can use models to write emails, texts or even generate audio that’s indistinguishable from a real message or voice. Businesses can’t expect their non-IT staff to become cybersecurity experts in a constantly evolving threat landscape.
Innovation00:0001:12Trust Is The Glue That HoldsAI TogetherThe awareness month should be focused primarily on things that the average person will benefit from, and the business benefit must be the byproduct, not the goal.
How To Improve Cybersecurity Awareness
So, here’s how I think we should approach the 20th anniversary of CSAM. Rather than just encouraging people to be aware, which is where a lot of the annoying “jokes” around this time of year come from, the goal should be encouraging folks to understand and adopt behaviours that protect them and, by extension, their employers.
I do think it’s a worthwhile investment of time for organizations to participate, and not just with LinkedIn thought leadership. There’s plenty of value to be found in investing in outreach through more mainstream consumer channels, like Instagram and other social media platforms. Encouraging positive security behaviours on those platforms will reach a wider audience who may not be as familiar with cybersecurity, instead of an echo chamber of cybersecurity practitioners on LinkedIn.
The theme for last year’s CSAM was “it’s easy to stay safe online,” and actually reaching people at the websites they’re spending time on will go a long way toward changing the overall behaviour of people online.
Too often, the online promotions during Cybersecurity Awareness Month are dominated by vendors hawking their latest product release, or long-time security professionals mocking the average user for not knowing all of the best security practices.
Our industry has a real problem in general with communicating with non-technical people, and nothing will slow our progress down like losing focus on supporting online behaviours that can be easily changed to help the public stay safe.