In some ways, 2016 prepared us for the cyberattacks of 2017, but looking back at last year’s main themes as outlined by Department of Homeland Security (DHS) reminds us that thinking about National Cyber Security Awareness Month (NCSAM) just once each year isn’t nearly enough to protect our enterprises. Here’s what was important then — and what we’ve learned in the year since.
Taking Advantage of Public Efforts
One of the most notable aspects of NCSAM is its connection with the Stop.Think.Connect campaign, a global awareness effort aimed at creating a safer and more secure online community. It brings together private companies, nonprofits and governmental organizations under the leadership of the National Cyber Security Alliance (NCSA) and the U.S. government.
Beginning in 2010, the goal of the effort was to distribute cybersecurity awareness and encourage safe online behavior, since much of the damage done through cyberbreaches happens because computer users are uninformed about the methods and tactics used against them. The campaign’s message encourages people to think before they take action online that could be harmful to themselves or their organizations.
Stop.Think.Connect focuses on spreading information publicly through multiple channels, including social media. The effort makes use of hashtags including #ChatSTC for Twitter Chat sessions, and also #CyberAware and #PrivacyAware to extend its reach to school campuses. Tip sheets from previous years are archived on its website and offer resources such as an explanation of ransomware and tips for raising privacy-savvy kids.
Stop.Think.Connect is a recurring theme each year during NCSAM. The specifics of the 2016 campaigns remain valid through 2017 and beyond.
Other Lessons From National Cyber Security Awareness Month 2016
The Stop.Think.Connect campaign is just one carryover from last year. Here are some other messages that should be remembered this time around.
From the Break Room to the Boardroom
Protecting enterprises from cyberattacks was an important focus during the 2016 NCSAM, and the DHS offered suggestions that — while simple in concept — present challenges in implementation. Specifically, the DHS advocated for:
- Using complex passwords that include uppercase and lowercase letters, numbers and symbols;
- Being aware of phishing emails and resisting the impulse to open emails, links, or attachments from strangers; and
- Reporting all suspicious activity to the company IT department.
In 2014, the DHS launched the Critical Infrastructure Cyber Community (C3) to help protect critical infrastructure, including energy, water, transportation and financial systems. It is a voluntary program connecting DHS, other government agencies and the private sector to highlight the agency’s cybersecurity framework, promote communication and create a feedback mechanism to deliver continuous improvement of the program.
Recognizing and Combating Cybercrime
The fact that cybercrime costs money is well-documented. CNBC reported that individual cybercrime victims lose an average of $358 and then spend an average of 21 hours to recover from the effects of cybercrime. Additionally, the Ponemon Institute reported that companies worldwide lose an average of $7.7 million each year to threat actors online. Finally, Forbes noted that total costs from cybercrime will reach $2 trillion by 2019. Those figures are staggering, but still relatively unknown by those who don’t work in the cybersecurity field.
Even as cybercrime gains a foothold in the public sphere, companies lag behind in defending cybercrime and proactively defending their data due to the ongoing skills gap. Government agencies focus on finding cybercriminals and often share their findings with businesses that may be in their crosshairs. These agencies are understaffed with many unfilled job openings — partly because the hiring process includes rigorous background checking and would-be applicants are hesitant to apply. This could leave organizations without the personnel required to execute a mission.
Our Continuously Connected Lives: What’s Your Apptitude?
Smart devices populate every aspect of our personal and corporate lives. We rely on them for communication and information multiple times every day. Smart appliances, otherwise known as the Internet of Things (IoT), are expected to reach a population of more than 20 billion devices by 2020, according to Gartner. Each of these computing devices connects to the internet and presents a possible points of entry for cybercriminals.
The IoT is useful to everyone who uses these smart devices, but the ease of installing apps that allow access to sensitive information can expose them to exploitation. For example, smartphones’ wireless connections are vulnerable to being monitored and password information could be intercepted. Not to mention, IoT devices continue to be deployed without standardized security protocols in place to protect the access they provide to corporate networks.
Building Resilience in Critical Infrastructure
Infrastructure is subject to failure, but surviving problems is critical to businesses continuing to operate through issues with individual parts of their infrastructure. Resilience needs to be built in, not only in the design of the systems and selection of components, but also into the processes, procedures and people surrounding them. Employees must be engaged in security awareness through training and ongoing information updates. Their leaders need to understand and support the programs and policies that combine to make up a resilient infrastructure.
These issues were key to NCSAM 2016 and have remained critical factors throughout 2017. While the themes slated for the rest of NCSAM 2017 are important for organizations, security leaders shouldn’t forget what they’ve learned in the past.