This year, National Cybersecurity Awareness Month (NCSAM, celebrated each October) came on the heels of the revelation that Equifax had compromised the personal information of nearly half the U.S. population. And while this latest data breach is one of the most damaging and costly to date, the incident followed a string of major hacks that have made headlines in recent years.
If there is an upside to such cyber calamities, it might be that they’ve helped to raise consciousness about the importance of cybersecurity. “People are more aware of the risks than they have ever been,” said Michael Kaiser, executive director of the National Cybersecurity Alliance (NCSA), which, along with the U.S. Department of Homeland Security (DHS), has run the annual awareness program for 14 years.
Do we still need to dedicate 31 days a year to raising cybersecurity awareness? Absolutely, say industry experts. While many individuals now understand the danger that lurks in their increasingly digitized lives, the purpose of NCASM is not simply cognizance of the threat, but ongoing education about how to better protect against it.
The idea for NCSAM came after the George W. Bush administration introduced its first National Strategy to Secure Cyberspace policy statement in late 2003, which made awareness and training one of its top five priorities. The initiative continued through subsequent administrations and “found its way to becoming a critical part of increasing safety and security for everyone,” said Kaiser, who joined the NCSA in 2008. This year, DHS and NCSA took its efforts international, conducting awareness events with the Organization of American States and highlighting the awareness work going on in Canada, Australia, and the European Union.
A Valuable Lever
Since NCSAM’s inception, there have been a number of advancements in the industry, including improved tools, such as strong authentication. Still “not everyone is doing everything they need to do,” according to Kaiser. “In the same way that not everyone drives safely.”
NCSAM remains a necessity, noted Jason Hoenich, co-founder of cybersecurity awareness company Habitu8. “For a lot of companies that don’t do anything consistently to promote awareness and education, October is the time of year when companies with cybersecurity information get a reason to have the conversation.”
“NCSAM is the perfect time for network defenders to have that closed-door conversation with their boss about a radical change in direction regarding how they manage IT and security deployments in the future,” suggested Rick Howard, Palo Alto Networks’ CSO. “This is the time to seriously consider adopting DevOps as a management philosophy and Site Reliability Engineering best practices as the way forward—not only to efficiently manage your infrastructure, but to also get a leg up on your competition.”
NCSAM is designed to promote such discussions—between companies and their employees, teachers and students, parents and children, explained NCSA’s Kaiser. “We consider cybersecurity awareness a grass-roots activity.”
NSCAM can prompt businesses to review and improve their cybersecurity stance, said Stephen Lilley, partner with the law firm Mayer Brown, who co-authored the firm’s guides on cybersecurity, regulation, and incident response and served as a member of the Center for Strategic & International Studies Cyber Policy Task Force. “Companies can use this month to evaluate their cybersecurity postures and think through both the risks that dominate the news and the next wave of cyber threats,” Lilley said. “Some may continue to refine key components of their cybersecurity programs, such as incident-response readiness, governance structures, and third-party vendor oversight. Others can build on mature programs to address cutting-edge issues, such as those presented by artificial intelligence or automated systems.”
Adopting a Marketing Mindset
Mayer Brown uses the period to highlight newer cybersecurity and data privacy issues its clients are facing with events and publications. Key topics this year have included the cyber risks of cloud and Internet of Things (IoT) technologies, how to launch a vulnerability disclosure program, and European General Data Protection Regulation (GDPR) compliance.
A particular area of interest this year could be improving DevOp cybersecurity, suggested Aaron Bryson, director of the red team for Cylance Consulting. “While there are frameworks and best-practice guides, relying on every individual to effectively enforce these recommendations in a consistent manner is difficult at best,” said Bryson, who has overseen white hat hacking groups at the Department of Defense. “Automation and tooling can help with the enforcement of application-security best practices. We need every engineer—both software and hardware—to adopt a secure software-development lifecycle and other security practices and design principles.”
Hoenich, who began his cybersecurity-awareness career producing Hollywood-grade videos on the topic for Walt Disney Company, said that more companies are hiring full- or part-time awareness and education professionals or seeking help from companies such as his. That’s an important shift, he said, because raising awareness is a right-brained function requiring specific skills that many left-brained security professionals might lack. Too many awareness efforts—PowerPoint presentations, dry training sessions—fall flat. Awareness building is really a form of marketing and must be engaging to succeed, said Hoenich whose company produced two seasons of cybersecurity web series called Hashtag Awareness.
“If you’re trying to change someone’s behavior, you must start by piquing their interest and giving them something of value,” said Hoenich. Reposting information that employees have likely read elsewhere is not likely to draw people in. Inviting them to watch as a red team performs a live life hack on one of their fellow employees, on the other hand, is. “It’s much more impactful than sending out a seven-paragraph email explaining why social engineering is bad,” said Hoenich. “That’s what can be fun about October.”
Calculating the impact of NCSAM is a challenge. NCSA and DHS monitor social media activity, website metrics, and media mentions. Measuring behavioral change is trickier. “Over the last three to five years, we’ve seen more and more companies engaging in awareness—not just during the month, but all year long,” Kaiser said. “That’s what we hope happens—that these things are institutionalized.”