In the United States, the month of October is no longer just for marking the arrival of Fall and celebrating Halloween – it’s now an occasion for improving cyber security awareness training and boosting overall cyber security resilience. For the 16th consecutive year, October is now National Cyber Security Awareness Month (NCSAM), and U.S. federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) are co-sponsoring a number of meetings, training sessions, cybersecurity careers events, and public awareness campaigns around the broad theme of cyber security awareness training.
Key themes of National Cyber Security Awareness Month
The goal of National Cyber Security Awareness Month is to raise awareness about the importance of cyber security best practices, as well as actionable steps that individuals can take to make their homes and workplaces safer and more secure. It has the full support of the federal government, under the auspices of the Department of Homeland Security, and is specifically designed to create stronger links and collaboration between government and industry. At a time when hacker attacks against the nation’s critical infrastructure are an ongoing and ever-present threat, NCSAM 2019 is particularly relevant as a way for organizations to stay safe.
Lex Boost, CEO of Leaseweb USA, comments on the importance of recognizing NCSAM: “The perils of the internet continue to increase year after year, with cyber attacks becoming more frequent and more sophisticated. Large organizations, and even the federal government, have recently felt the sting of numerous attacks – illustrating the evolving and increasingly complex landscape we are living in. Cybersecurity Awareness Month is a great opportunity to raise awareness around the importance of taking cybersecurity measures to protect your business. While cybersecurity awareness month is only a month long, it is important to remember that cybersecurity awareness is an everyday job.”
The slogan for this year’s NCSAM is “Own IT. Secure IT. Protect IT.” The intention is for people to take greater personal responsibility for cyber security awareness training, in order to have a safe and secure online experience. In past years, the overarching message of NSCAM was “Our Shared Responsibility,” but this year, the emphasis has shifted to personal accountability.
For example, “Own IT” refers to all the steps that individuals can take to own their social media profiles, to make security top of mind, to become more aware of how the Internet of Things can impact cybersecurity, and to take greater interest in online privacy discussions. “Secure IT” refers to all the additional security measures – such as using stronger passwords and multi-factor authentication – that people can use to become more secure and to protect themselves from online hackers.” Finally, “Protect IT” refers to all the steps that people can take to protect the digital home and digital workplace, such as by making Wi-Fi networks more secure.
Harold Sasaki, Senior Director of IT and TechOps at WhiteHat Security, suggests a few of the ways that individuals can put these ideas into practical use: “Only purchase online from well-known stores. Stores like Amazon, eBay, Walmart and Nordstrom spend a lot of money and resources to make sure your data is safe. Just because a store uses encryption does not mean that once they have your data that it is kept secure. Avoid smaller unknown sites that may or may not have the proper level of security for your data. Larger established companies also usually have a well-defined process for disputing purchases that may be fraud.”
In addition, says Sasaki, “Keep an eye on your credit card statements for unauthorized charges, even at stores you normally shop at. Use multi-factor authentication when possible. If a website or app allows for multi-factor authentication, the hassle is worth the extra level of security. This is usually in the form of a code that comes to your registered phone or email address. Keep social media content private. Unless you are a movie star, or these days a YouTube star, you should be careful about what personal data you post on social media. This is a common way that celebrities get hacked as passwords are often derived from pet’s names, favorite foods, or other personal information. Public personal data also increases your risk for identity theft.”
Creating a new template for cyber security awareness training
Taken together, all of these different elements of “Own IT. Secure IT. Protect IT” can be used by organizations to create a very effective and robust cyber security awareness training program to address common cyber threats. The reality is that, despite all the media buzz about hackers, cyber threats, and nefarious schemes to infiltrate corporate computer networks, most corporations are not doing enough when it comes to cyber security awareness training.
This fact is highlighted by a recent GetApp data security survey, which found that 43% of employees do not receive data security training on a regular basis. And, in fact, 8% of employees never receive any data security training at all. To help companies come up with an appropriate cyber security awareness training program, GetApp provides a number of recommendations to complement its survey findings. For example, GetApp recommends that organizations first send out a questionnaire or survey to employees, asking them to answer a few basic questions about their current security practices (e.g. how often they update their passwords) in order to get a basic understanding of the company’s current data security profile. Based on that, it will become much easier to arrive at the proper elements to include as part of any cyber security awareness training program.
Trevor Bidle, VP of Information Security and Compliance Officer, US Signal, has a few suggestions of how to transform key training lessons into actionable business steps: “On the 16th anniversary of National Cyber Security Awareness Month, it’s important to think about how your organization can work to prevent and mitigate cyber attacks. Many organizations are turning to managed service providers to help implement, monitor and maintain a mixture of cybersecurity technologies, including cloud-based firewalls, DDoS protection and email security. In addition, 97 percent of participating organizations scan and test for vulnerabilities within their web applications. The recent number of organizations that are experiencing cyber attacks is jarring. The survey brings to light that there is always room for improvement in keeping up with modern cyber threats. National Cyber Security Awareness Month is a great opportunity to remind companies of the need for more robust security tools and managed services to help resource-strapped technical teams year round.”
The newest cyber threat: social engineering
As GetApp points out, hackers are currently evolving their techniques and coming up with new approaches for getting access to a company’s sensitive data or personal information. The latest form of hacker attack is known as the social engineering attack. In many ways, it resembles the old “con game” of the analog era, in which a crime is only pulled off after gaining the confidence (“con”) of the victims.
Thus, in a social engineering attack, the goal is first to gather as much intelligence and data about an organization – how it is structured, who the top executives are, and how approvals are made for important corporate spending projects. From there, hackers will drill down into the type of data and information that they will need to carry out the attack. This might be as simple as scouring social media profiles or tapping into public records. In other cases, though, it might require the hacker reaching out via email, social media or even phone to “verify” certain details.
Once this has been done, the attack can be carried out. For example, one specialized form of the social engineering attack is known as “pretexting.” In this form of attack, the hacker poses as someone else – such as a top corporate executive or government official – in order to convince someone to approve a request, forward a certain document, or hand over login credentials.
The reason why these attacks are so successful, says GetApp, is that they tend to exploit human nature. Most people, by their very nature, are trusting and willing to help. Thus, when they get a request from someone claiming to be an authority figure, their first inclination is to help out – and this is exactly the weakness that hackers will exploit to achieve their end goal. Once this weakness has been found, that can set the stage for a malware infection or phishing attacks.
Shaily Shah, Founder and CEO of Blue Phish believes that, “Most IT & Security professionals in organisations assume that the ‘end users’ are ‘stupid’ and that “you can’t fix stupid” so it’s best to plug in high levels of technology to increase security. However, these end-users are not stupid, they just get accustomed to online behaviour which isn’t secure. Cybersecurity education, done right, can change these online behaviours.”
Training for more sophisticated hacker attacks in the future
Thus, one building block of any cyber security awareness training program needs to be awareness of how to deal with these social engineering attacks. And yet, by and large, most companies currently allocate little or no resources to this problem. According to GetApp, only slightly more than in one in four companies (27%) provide any type of social engineering-related cyber security awareness training.
Clearly, there is much more that companies can be doing to protect their vital, mission-critical information and the personal information of their customers. While the problem can seem daunting, the good news is that cyber security awareness training is going mainstream. And, with month-long events like National Cyber Security Awareness Month (NCSAM), small and mid-sized businesses can finally get the help and assistance they need to be prepared for any cyber threat scenario.