It seems rarely a week passes without notice of another cybersecurity breach or incident. For many incidents, the issue isn’t policy – it’s human error. That’s why some leaders in the government and nonprofit sector are using the month of October to increase awareness and draw attention to the need for proper cybersecurity procedures.
“National Cybersecurity Awareness Month was launched in 2004 by the U. S. Department of Homeland Security and the National Cyber Security Alliance as a broad effort to help Americans better understand cybersecurity and how to stay safe and secure online,” said Kelvin Coleman, executive director of the National Cyber Security Alliance.
Under the direction of the National Cyber Security Division within DHS, this awareness program initially focused on the simple things people and companies could do – such as keeping antivirus programs up to date. Simple, but at the time effective, solutions such as regularly updating cybersecurity software – were touted as things that individuals and IT departments could do.
The efforts have expanded over the years, and since 2009 the month has focused on an overall theme: “Our Shared Responsibility,” which is meant to serve as reminder that everyone from large corporations to individual computer users now plays a role in ensuring that data is protected.
“Every week in the past we’ve sent out tips and best practices via press releases, newsletters, the media, etc., and saturated the general public and businesses with information to help them educate themselves,” Coleman told ClearanceJobs via an email. “We have had really great success getting this message out and helping people understand the importance of cybersecurity and how they can stay safe online.”
Own, Secure, Protect
For 2019 the overarching message for NCSAM has taken it a step further with “Own IT. Secure It. Protect It.” The goal is to further educate and bring awareness to issues that include citizen privacy, consumer devices and e-commerce security. Each of the key calls to actions comes with important tips for anyone that relies on our ever-connected world of devices.
Own IT – Users should never click and tell, and this is crucial in staying safe on social media. In other words, too much information isn’t just about awkward conversations but can actually be dangerous. Individuals and IT departments should update privacy settings, and keep tabs on all apps to ensure that those downloads aren’t sharing too much either.
Secure IT – Strong passwords, or actually passphrases, are now important as ever, while multi-factor authentication should be considered for email, mobile devices and other sensitive sites and devices.
Protect IT – Everyone should be sure to update to the latest security software, but also the latest browsers, operating systems and latest updates to ensure that potential security holes are plugged. Likewise, users should be diligent when connecting to Wi-Fi networks. And those who keep customer or client data should also take increased measures to protect it as well.
Security experts are in agreement with these tips, and suggest users create strong and complex passwords, are careful and diligent when opening attachments in email, and are cautious when using public Wi-Fi. However, despite the warnings, many individuals tend to continue to make the same simple mistakes time and time again.
“Employees continue to ignore the obvious security red flags for two reasons,” said James Aldridge, vice president of technology at Matrix Integration.
First, he said that the natural human behavior is to resist change – and because employees never have time.
“All employees get used to their daily routine and social engineering criminals have become really good at hiding their trickery,” Aldridge told ClearanceJobs. “For those who are not paying close attention, they will not see the simple signs or subtle changes in email addresses or hyperlinks.”
Secondly, Aldridge added, if companies do not train employees and hold them accountable to their security policies, the employees will not change their behavior.
“At a minimum companies need to subscribe to a security awareness training platform and have trainings on a recurring schedule,” Aldridge explained. “To coincide with training, clear security policies and expectations need to be developed and communicated.”
“Companies need to do more to better educate their employees,” agreed Elad Shapria, head of research at cybersecurity firm Panorays.
“A security awareness training program, for example, can help inform employees about data management, safe Internet habits, social networking dangers and more,” Shapria told ClearanceJobs.
Social engineering remains a bigger concern than actual breaches. To this end, companies can test employees via internal phishing attacks.
As importantly, added Aldridge, is the need to “develop a feedback and training loop with employees that are not meeting the documented security policies and expectations.”
Then there is simply protecting data through what could be other obvious means, and this is true of any sensitive or classified data.
“Companies should be taking steps to limit the amount of data that employees have access to,” added Shapria. “Data should be accessed on a need-to-know basis, and there should be processes to remove that access once employees leave the company. If more employees had less access to company data, there would be a lot less cybersecurity problems.”
