The National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Security Agency (CISA) are again celebrating Cybersecurity Awareness Month with the overarching theme of “Do Your Part. #BeCyberSmart.”
The initiative is in its 18th year, and the mission—“raise awareness about the importance of cybersecurity across the nation”—remains the same. Some practitioners might be inclined to dismiss the effort thinking that it doesn’t apply to them. Of course, they live in an elevated state of awareness of the importance of cybersecurity. However, if only those within the industry understand the need to be safe and secure online, that leaves a whole lot of others, including businesses of all sizes, at great risk.
Thus, the focus of this first week is none other than Be Cyber Smart, but what does that mean? And how can we as an industry help to educate others? In order to answer that question for those companies that may not have a designated cybersecurity professional (such as SMBs, non-profits or even the K-12 sector), I spoke with Wendy Nather, Head of Advisory CISOs at Cisco and member of the RSA Conference Advisory Board and Program Committee.
“You need to understand what cybersecurity actually means to your job and the data that’s important to you,” Nather said. Nather is also a member of the Advisory Council for Sightline Security, whose mission is to ensure that non-profit organizations “have the knowledge and resources to embrace cybersecurity.” In short, it’s a mission to help non-profits do their part, but these principles aren’t exclusive to non-profits.
Where Do I Start?
The mission of most non-profits is to provide resources—whether money, food, clothing, education, medical services or any other service—to underserved populations. So, in thinking about where to start in their quest to Be Cyber Smart, they first have to ask what they are trying to do. “They can start by looking at the chain of what they are working with. If they are taking in money, how are they protecting it to ensure that they are able to make those resources available? They also need to think about who would want to redirect or steal that money,” Nather said.
It’s also important to think more broadly about the potential impact of not being able to deliver those resources. Nather pointed out that if a ransomware attack stops operations, that means it is likely the organization can’t deliver the money, food or other services to the intended recipients.
The first priority for any organization is to protect all the information that has to do with financial transactions as well as the data related to the people who are receiving those financial or other services. Schools, for instance, have a duty under the Family Educational Rights and Privacy Act (FERPA) to protect the Personally Identifiable Information (PII) of K-12 students, and non-profits that are helping victims of domestic violence or human trafficking also bear the responsibility of protecting users and the digital identities of those they are trying to help.
Building Cyber Smart Relationships
Protecting data does not only mean ensuring that malicious actors can’t access it. It also means that the organization is building the right layers of defense. If there were a ransomware attack, they would still need to access their critical data. “If you are not able to do this yourself,” Nather said, “turn to peers or ideally experts to help navigate the process of figuring out what is at risk and what to do to protect adequately.”
Being Cyber Smart also requires that organizations recognize there is no prescribed process for figuring all of this out, and determining where to start is challenging. But there are resources available. “Get involved in the security community. Find peers to work with or go to a free local conference. Meet with people and ask questions. Talk with community members,” Nather said.
According to CISA’s Cyber Essentials, a guide for leaders of small businesses, building a culture of cyber readiness starts with employing backups, requiring multi-factor authentication, enabling automated updates, deploying patches quickly and educating staff.For additional resources, explore the RSAC 365 Library of educational content, available to you not only during Cybersecurity Awareness Month but all year round.