Is National Cybersecurity Awareness Month Working?

This year marks the 15th annual National Cybersecurity Awareness Month. According to the Department of Homeland Security website, this yearly event is an “initiative to raise awareness about the importance of cybersecurity…a collaborative effort between government and industry to ensure every American has the resources they need to stay safer and more secure online.”

Coincidentally, it’s been a noisy month for data breaches. Household names like Facebook, Anthem, Google, and the Pentagon are all prominent in recent news cycles, and not for good reasons. Attacks continue unabated, and if anything, it seems like they are picking up steam. It was enough to make me sit back and ask the question “Is National Cybersecurity Awareness month even working?”

The answer isn’t particularly encouraging.

What Month Is It?

Out of curiosity, I conducted a very scientific and well-organized survey on the subject, asking a few members of my family and friends one simple question:

“Do you know what month it is?”

Their answer, without fail, was “It’s October,” accompanied by looks that indicated they were questioning my sanity. When pressed further, almost all of them said “Oh, you mean Breast Cancer Awareness Month.”

No, but thanks for playing…

What this says is that the message isn’t reaching everyday consumers, the people whose personal data is at risk when a big company gets breached. If the message isn’t reaching their ears, it also means they’re likely not taking the necessary steps to protect their identities and stand to suffer in the end.

Laptop with code
Some awareness messaging is as clear as machine code. Photo by Markus Spiske on Unsplash

Raising Better Awareness

I talked to people who weren’t highly technical on purpose. They are the normal users, people who use services like Facebook and Google daily, and who are more likely to fall for simple scams and proclaim, “I think I’ve been hacked!” We saw it with the recent viral thread on Facebook, where people believed their accounts had been cloned. The timing of these messages coincided with Facebook’s September breach announcement, so it’s no great surprise if the two became conflated.

We’re fighting a decidedly uphill battle in cybersecurity. When normal end users say things like “I don’t understand all of that geek stuff,” “I’m just not that techy,” “I don’t have anything a hacker would want,” or “I don’t have time to worry about that,” you have to wonder why we even bother dedicating a month to cybersecurity awareness.

The fact is, our target audience is suffering from a case of ‘cyber fatigue.’ What’s another data breach to someone who simply assumes that they’ve been hacked but who hasn’t been affected in any material way?

What can we do to cut through the noise and fatigue?

Organizations that want to reach these audiences need to get creative, and get serious, rather than writing up a couple entries on their blog (guilty) and calling it a day … or a month. The effort should be something that’s part of the culture of the organization, a permanent commitment to making everyone safer. Awareness efforts shouldn’t just happen in October.

And that’s just the first step.

Take Responsibility for Security

I’m personally sick of hearing “We were compromised due to a computer glitch,” or similar ambiguous language, when organizations declare they’ve been breached. As consumers, we expect companies entrusted with our data to take their stewardship seriously. It’s insulting, really, to wait for months to get real answers, and when the answers do come, they are vague and defensive.

Organizations of all sizes need to take responsibility and treat our information like they would treat their most top-secret documents or financial details. If they do get compromised, they need to own up to it quickly and clearly. Is that too much to ask?

It’s unforgivable to find out that an organization lost data due to unpatched antivirus or endpoint protection. Or a misconfigured router. Or because it decided not to spend the money replacing end-of-life security products. Or any other reason tied to laziness, greed, or ineptitude.

Breaches Will Happen

If there’s one message I can contribute to the dialog this National Cybersecurity Awareness Month, it’s that breaches are going to happen. They will continue to happen, likely for as long as we have an internet, identifying information, and money.

What organizations do about the situation before, during, and after a breach will make the difference. For the public who are the targets of cybersecurity awareness efforts, pay attention and hold those organizations accountable if they fail you.

Company executives and Boards of Directors would like to push the blame for their cybersecurity failures back in your lap, whether you’re their customer, employee, or contractor. It absolves them of blame, but cybersecurity needs to happen at all layers to be successful. It starts at the top and affects everyone, from the CEO to the customer. We’re in this fight together, whether we believe it or not.

Understanding that, maybe we can collectively turn the tide and start reducing the number of data breaches we see in the news every day.

Security & Intelligence
Posted on October 23, 2018 by Corey Tomlinson