Each week for the month of October, we will take a new perspective to the NCSAM topics and give insight into more improved options.
It is October which means it is National Cyber Security Awareness Month. Like other years, CISA and NCSA have broken the month into a theme a week. And while other groups will look at these themes in more traditional ways, let’s start with the honest truth:
Cyber Security Awareness Training sucks. It’s broken.
Cyber Security Awareness Training doesn’t work (or at least doesn’t work well). Most organizations are stuck in a loop doing the same thing and hoping for different results.
Today more than ever, it’s essential we find a successful way to prepare for and secure our technological growth and future. With the dramatic shifts of 2020 and increased number of employees working from home, our ways of preparing are inadequate, outdated, and ill–conceived.
Part of the reason it’s broken is we have stopped looking at it with fresh eyes. So, in an effort to address this, let’s look at the themes of this month with a new perspective. Cyber criminals keep learning and adjusting. Our defense must also be as agile and keep learning and adjusting.
If You Connect Your People, Protect Your People
National Cyber Security Awareness Month’s (NCSAM) first theme is If You Connect It, Protect It. Traditionally, this would be interpreted as computers, hardware, and other IoT devices — but that moves the focus away from where it most needs to be: your people.
“95% of cybersecurity breaches are due to human error. Cyber-criminals and hackers will infiltrate your company through your weakest link, which is almost never in the IT department.”
Be it employees, students, customers, or your community, what we are really working to protect are people. Protecting people is the core.
Yet 85% of CISOs admit to sacrificing cybersecurity in the shift to remote work. In the urgent shift to working from home due to COVID-19, “the number of unsecured remote desktop machines rose by more than 40%,” remote desktop protocol “brute-force attacks grew 400% in March and April alone,” and “users are now three times more likely to click on pandemic-related phishing scams.”
Not only work meetings have shifted to online but also education with many universities and K-12 schools shifting to the physical ‘safety’ of remote learning. However, there are over 530,000 Zoom accounts for sale on the dark web. These accounts are as cheap as a penny or often given away for free with the intent to use them in Zoom bombing pranks. It is essential to think of how to protect those who connect.
Tools, Training, and Time
How do we protect our employees, customers, students, and communities? Tools, training, and time must evolve with the times.
The Right Tools
The right tools will vary by industry and area. However, firewalls, antivirus software, multi-factor authentication, encrypted emails, and staff training are all essential components of using the right tools.
Those working or studying from home should ensure Wi-Fi connections are secure, stay aware of phishing threats, practice good cyber-hygiene, lock their screens when not using their computer, and use a reputable VPN.
The Right Training
There are a lot of options out there for training. Sometimes it’s hard to know what the “right training” is. Companies have fallen into a trap of seeing Cybersecurity as a regular compliance requirement. Defaulting Cybersecurity to the quickest, easiest, and cheapest way to check off a requirement mandated by vendors, executive teams, insurance policies or external regulators. But checking off a requirement box, doesn’t accomplish the goal of behavior change.
The right training should
- Teach or reinforce a skill
- Create behavioral change
- Be understandable and readily available
- Be engaging and memorable
- Be adaptable and industry specific
Time and Attention
Time and attention are factors in more ways than anyone wants to admit. At the bare minimum, there has to be time devoted to training. Using the right tools can save time and increase engagement, reinforcing behavior change. The wrong training and tools will take more time and attention than they return.
Do Your Part #BeCyberSmart: Protect Your People
Nothing will change in cybersecurity education until we take a new approach and create a better way for people to learn new skills. Current cybersecurity awareness training doesn’t work. The system is broken.
To fix it, we have to start being honest about what the real goals are — not just the real fears. Companies are eager to sell fear and it’s easy to do with all the recent breaches and cybercrime statistics. But being afraid doesn’t change behavior or need — empowering people with true knowledge, real skills, and the right training does.
Don’t miss next week’s conversation with a fresh perspective on week two’s theme: Securing Devices at Home and Work.