You are here

October 9, 2017

Last week, Yahoo provided the headline that underscores the importance of National Cyber Security Awareness Month—announcing that all 3 billion of its accounts were breached in a 2013 incident.

The Department of Homeland Security launched National Cyber Security Awareness Month 13 years ago to engage, educate, and promote national vigilance around this vital issue. We’ve made some important headway in distinct areas since that time, such as defending against denial-of-service attacks. We’ve also seen the introduction of important policies and standards, including the Federal Information Security Management Act (FISMA), and the requirement that all Department of Defense Contractors must comply with NIST 800-171 by the end of the year—to name just a few.

At the same time, however, new threat vectors continue to grow in volume, sophistication, and velocity. Phishing attacks are more convincing than ever. Ransomware incidents grew by  50% between 2015 and 2016, threatening mission continuity, public safety, and sensitive information. Insider threats continue to dominate the news—from Edward Snowden’s release of National Security Agency data to WikiLeaks’ dump of CIA documents to others charged with providing classified information to a news outlet.  In response, we’ve seen the rise of a new industry segment specializing in insider threat detection and data loss prevention, leveraging increasingly sophisticated behavioral and sentiment analysis capabilities.

While threats and the technology intended to thwart them continue to evolve, one element remains constant: the human factor. Individuals interacting with technology need to know the threats and what to do (or what not to do, as the case may be.) This message is, in essence, the foundation for National Cyber Security Awareness Month.

Cyber training must be sustained, complete, and constantly evolving. It cannot be viewed as a one-size-fits-all proposition. For instance, privileged users face different risks than regular users.  Agency leads face new roles as de-facto “cyber chiefs” within their organizations. They may not need to know the inner workings of malware, but they must understand the threats, tools, and strategies available to address them. Each of these audiences plays a different role in the cybersecurity tapestry, and thus, requires tailored training.

Also related to the human factor, it’s critical for agencies to understand and assess the “easy versus secure” paradigm. If cyber controls make life too difficult for users, they will look for ways around them, exposing the agency to greater risk. We’re seeing organizations increasingly focused on the user experience when it comes to cybersecurity. Training also plays a vital role in this area. Educating users about risks and threats can elevate compliance even if cyber controls add complexity to log-in and data access processes.

National Cyber Security Awareness Month is an important time to dig deep and focus on this important element of national security. That said, the elevated national conversation and focus on cyber cannot end when we turn the page on a new month. Instead, let’s use it as a springboard to innovation and continued collaboration around this critical national issue.

Learn More