No one would ever suggest that National Cybersecurity Awareness Month is a mistake. Every October, we recognize NCSAM in a variety of ways—with online seminars, with security awareness campaigns, with outreach to schools. And for a brief time, cybersecurity takes a bigger share of the national discourse.
But every year, that awareness slowly melts away, and in many ways security moves to the back burner. Sure, the technical specifics of security programs remain in place well after October has passed, but the human aspect tends to drift, opening up the possibility of holes created by a simple lack of awareness and attention. Without that awareness and attention, a key component of cybersecurity is undermined.
For that reason, it's in everyone's best interest to ensure that NCSAM has legs, and that security remains a top-of-mind concern throughout the year.
Tony Bradley, a senior manager for threat management provider Alert Logic who also happens to be the author of a dozen books on IT and IT security, as well as a frequent contributor to Forbes and DevOps.com, put it perfectly in a recent post for Security Boulevard.
"… effective cybersecurity isn't just about strong passwords and patch management—it's about peace of mind and being able to sleep soundly at night," Bradley wrote. "It is not something you can cram in during National Cybersecurity Awareness Month and then just forget for the rest of the year."
In another post, for CSO Online, Mitchell Parker, executive director of information security and compliance at Indiana University Health, took the discussion one step further, suggesting that one of the biggest ongoing threats to effective security is what he calls tunnel vision.
In general, this refers to the tendency of users to be ruled by whatever their current task is to the point that they lose sight of the possible consequences of their actions. It represents a huge cybersecurity challenge, and a significant opportunity to leverage NCSAM for change.
"We need to combat tunnel vision and its associated issues to help turn around the perception of Information Security and increase its effectiveness," Parker wrote.
This need is more important than ever, as public awareness of the related issues grows and legislators get more serious about holding organizations, which are collecting more sensitive data than ever, accountable.
A perfect example looms on the horizon: the California Consumer Privacy Act, which goes into effect in January. Considered by many to be the most expansive US privacy legislation to date, the CCPA raises as many questions as it answers for organizations looking to avoid running afoul of the new law.
This raises some serious challenges, and if companies and other organizations are to combat tunnel vision and attain peace of mind, they need to be clear on what the new rules are. Fortunately, the law firm of Jackson Lewis has published an exhaustive set of FAQs designed to help organizations determine how the CCPA applies to them.
-The new law applies to any companies that do business in California, collect personal information and determine how that data will be used or processed, and satisfy one of the following conditions: earn $25 million in annual gross revenue; buy or share the personal information of at least 50,000 consumers; or derive half of their revenue from selling that data.
-The new law defines personal information quite broadly: any information that can identify, relate to, describe, be associated with or be reasonably capable of being associated with a particular consumer. That could mean everything from identifiers (such as names, addresses or social security numbers) and property records to browsing history and biometric or geo-location data.
-The new law grants consumers sweeping rights in areas such as access to personal information, the ability to delete that data or the option to "opt out" of its sale.
-The latest version of the CCPA excludes employee personal information from most of the law's requirements, but it does entitle employees of covered businesses to a privacy notice, as well as the right to take action if they are affected by a data breach resulting from the employer's failure to maintain reasonable safeguards. (There is still much ongoing discussion about how to handle the personal information of business contacts.)
-The new law has a provision for consumers to seek damages of up to $750 (per consumer per incident) if a covered business is breached, regardless of whether the consumer can prove any actual harm. This could lead to some significant class action suits.
Clearly, there will be some serious dust-settling as the law takes effect, and companies doing business in California will need to do due diligence in order to fully grasp how the law affects them. But Jackson Lewis' FAQs include a few recommended steps for businesses that start with the basics: Monitor the new law and any resulting amendments; get a handle on whatever consumer personal information they're collecting and how it's being used and stored; and review security programs and procedures to ensure they're in compliance.
The bottom line is this: Organizations need to tighten their data security and privacy practices because legislation is coming, and the uncontrolled data grab will no longer go unchecked. And, while National Cybersecurity Awareness Month ends Oct. 31, the need to be aware and diligent never ends.