October is the month dedicated to Cybersecurity Awareness, an initiative launched by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) back in 2004. The idea behind the month is to provide continuous awareness to the public and businesses on how to protect themselves and their data from being compromised. This is a great initiative and one that needs to continue, but, we need to take all the effort we put into this month and continue the awareness indefinitely. Cybersecurity Awareness Forever.
Statistics continue to show that ‘we’, the human component of cybersecurity, continue to be one of the weakest links. One of the most recent statistics I like to reference is from the Verizon 2022 Data Breach Investigation Report (DBIR) that states “82% of breaches involved the Human Element, including Social Attacks, Errors and Misuse.” This is extremely alarming and should be enough data to realize that we have a serious problem at hand, and we need to do a lot better as cybersecurity professionals to continue to raise awareness. On the flip side, we also need to continue to improve our cybersecurity posture with strategies like Zero Trust Architecture (ZTA) that uses a multi-layer security approach.
Because of this, we need to reassess our cybersecurity awareness, training, & testing programs. Traditionally, this type of program may not have existed, may have been a one-time onboarding requirement, or a one-time annual event because of an audit requirement. Unfortunately, this is not good enough and we need to evolve our user awareness, training, & testing programs to a much higher standard. This program should be its own dedicated function within your overall cybersecurity program with dedicated time and resources committed to making it a success.
Your evolving program should be used to build a culture around cybersecurity for your users not just in the work environment, but in their personal lives. Greater success with awareness will come when related personally with real-life examples. The program should be an ongoing annual event that is dynamic, engaging, and purposeful. If not, this just becomes another training activity that doesn’t get the needed message across. Your overall program should consist of many different awareness, training, and testing opportunities. A sample template could look like the following to get you started:
To be successful, you are going to need a solution that can provide dynamic, engaging, and purposeful content. As you mature your platform, you should be looking at the ability for intelligence, learning, and automation. The ability for a solution to understand your users’ behaviors and risk so content can be delivered to provide more value. For example, if a user fails a simulation or is compromised through a real incident, we need to make them aware of those failures and provide them with the relevant material to learn and continue to improve. Ideally, this needs to be automated.
Remember, humans are our greatest asset, but they are our greatest weakness when it comes to cybersecurity. We as cybersecurity professionals can change this!