What is National Cybersecurity Awareness Month?
An annual initiative launched 16 years ago by the Department of Homeland Security, National Cybersecurity Awareness Month (NCSAM) takes place every October. DHS’s main motivation in mounting a month of cybersecurity-related activities is to make consumers more aware of how to protect themselves online. This year’s awareness month theme is “Own IT. Secure IT. Protect IT.” with a focus on privacy, the internet of things (IoT) and e-commerce security.
How DHS works with other organizations on security awareness
With all the attention on steps that average citizens can take, how can NCSAM benefit enterprise users or organizations that arguably need as much if not more support in keeping their employees and customers safe online?
Erin Shepley, the program lead at DHS’ Cybersecurity and Infrastructure Security Agency (CISA), heads up this year’s Cybersecurity Awareness Month activities. She admits that “a lot our content is really driven for the consumer, the average citizen that doesn’t work in cybersecurity.”
“We rely on organizations, basically trust mechanisms, to amplify” the messages of Cybersecurity Awareness Month, Shepley adds. “Whether that is a federal government agency, a chief security officer with a county government, the YMCA, the Boys and Girls Club,” DHS hopes the cybersecurity professionals within those organizations will talk with their offices and staffs and hold events related to cybersecurity.
How NCSAM enhances security awareness training
Shepley last week attended such an event hosted by an unnamed science and research company in Bethesda where the CISO held a full-day workshop related to NCSAM. The CISO invited expert speakers to educate employees on what they need to do to protect the information and data the company is building through its research efforts. “What our hope is, is that the content is easy so that if you're a security officer and you have many hats and one of those many hats is cyber security, you can take this content and use it as part of your awareness training mechanism,” she says.
Another example of corporations using Cybersecurity Awareness Month materials that Shepley says the folks at CISA “were super excited about” is when they started receiving personal emails from their banks with links back to CISA’s resources. Another big corporation, a retail giant that CISA requested remain anonymous, is holding a host of internal activities for their employees throughout the month, training and educating workers at every level, starting at headquarters all the way down to individual stores.
Government organizations are likewise using the opportunity of Cybersecurity Awareness Month to spread the message about good security hygiene. “Local and state governments are acting like a shared resource pool to talk about cybersecurity threats, trends, impacting their communities,” Shepley says.
“There’s a lot going on and we’re just not even tracking it at all, and that’s kind of the point. We create this content for people to take and use and really at the end of the day we’re hoping that people just take it and propagate it wherever.”
Another big question surrounding cybersecurity awareness is whether it’s worth the effort. Many cybersecurity professionals argue that average citizens, the overall workforce, will keep making the same mistakes over and over again, no matter how much awareness training they receive. One frequently cited landmark study by researchers at Oxford University and University College London tackles the well-known failure of awareness programs to change users’ behavior.
The researchers found that the negative “fear factor” in most awareness programs proved to be a disincentive to changes in security behavior. “Knowledge and awareness is a prerequisite to change behaviour but not necessarily sufficient, and this is why it has to be implemented in conjunction with other influencing strategies. It is very important to embed positive cyber security behaviours, which can result to thinking becoming a habit, and a part of an organisation’s cyber security culture,” the researchers concluded.
Shepley agreed that awareness programs “haven’t necessarily had the impact that we would like, where we haven’t seen huge steps towards fewer people clicking on links and introducing malware into the network. But we continue with awareness training because we have to do it regardless.”
Organizations must implement credential management, hardware management, password management and other good security measures and not merely hope that users don’t click on a bad link after they receive awareness training. The question, though, is how you deal with repeat offenders, “people that no matter how many times you train them and how many times you simulate phishing, they keep on clicking,” Shepley says.
Echoing the study’s findings about positive cyber security behavior, Shepley says “I’ve heard some interesting examples recently where there was less of the shaming. Historically, there’s been a lot of ‘you don’t pass,’ you get put on this bad list and maybe some level of rights is removed from you.”
“I’ve actually heard a lot of examples of success around incentivizing people to actively report phishing and participate in programs” One company Shepley encountered gave employees who participated in awareness and reporting programs a figurine to place on their desks, which drew the attention of fellow employees. “Then more people are interested in participating. I think the incentives can go above and beyond that. It’s an interesting approach that I think I hasn’t historically been seen across the field.”