Security professionals should take advantage of Cyber Security Awareness Month to spotlight security initiatives within their organization. Use this month to get the board and C-suite to think about security. This is also a good time to demystify security for your end users.
The Department of Homeland Security has conducted a series of events every year in October since 2004 to improve security awareness. One of the stated goals of National Cyber Security Awareness Month is to increase “the resiliency of the nation in the event of a cyber incident."
Cyber Security Awareness Month reminds us that security is everyone's problem. It's not just limited to banking or retail, and no one can claim to be too small or too unimportant to be a target. We aren't talking about just protecting our critical infrastructure and economy, but all our our individual identities and finances.
“I call upon the people of the United States to recognize the importance of cybersecurity and to observe this month with activities, events, and training that will enhance our national security and resilience,” said President Obama in his Sept. 30 proclamation.
Individually, we should be taking steps to secure our own devices and information. We talk about encrypting laptops and portable devices. It could be as simple as locking your mobile devices to protect your data if the devices are lost or stolen. Don't forget the Security 101 recommendations we hear about all the time, such as installing security software, patching operating systems, using strong and unique passwords, and not opening attachments or clicking on links in emails.
From an organization's standpoint, you can conduct user education training so that employees know how to keep data safe. Do you even have processes in place so that employees know what they should do if they need to share sensitive data with people outside the organization? Do your staff know why they shouldn't be saving work files to Dropbox? You can set up time to discuss data breaches with upper management. Consider when was the last time you reviewed your cybersecurity posture. Perhaps you are due for review, and even an update.
DHS has a week-by-week list of areas organizations need to focus on to improve overall security. Security needs to be baked into our products, processes, and culture. This week, the emphasis is on small businesses, because as noted earlier, no one is too small to be a target.
It's easy to treat this month as a month of security training. However, it's important to remember that a strategy that puts the onus of security on the end user is never going to work. People will click. It's human nature to try to be helpful, to share, and to trust in each other. And for some employees—Human Resources, Legal, and Hiring & Recruitment—opening attachments from unsolicited emails is part of their job function. As Anup Ghosh, CEO of Invincea likes to say, “You can't patch humans.”
Don't get bogged down with just security training and patch management. These are important elements, but take advantage of the fact that people are talking about security to push forward other security initiatives. Develop a process that makes it easier for users to be secure while still getting their jobs done. “A security strategy based on training users to not click on links or opening attachments will fail,” Ghosh wrote in a post recently. Blaming the breach on what an employee did is unfair, and victim-blaming. A security strategy needs to be able to protect systems and data when the human element fails.
Is your organization doing anything for Cyber Security Awareness Month? What are your plans for keeping security top of mind for your senior management?