October is Cybersecurity Awareness Month (CSAM), which means that email and social media are flooded with cybersecurity training content. Ideally, this should result in improved corporate cybersecurity as companies refocus their efforts on training employees to properly identify and respond to cyberattacks. Cybersecurity Awareness Month may not actually be enough as it exists today.
Is CSAM Enough?
Every October, cybersecurity awareness campaigns double down on teaching employees about cyber risks. However, despite these efforts, the state of end-user cybersecurity isn’t getting any better. According to the 2022 Verizon Data Breach Investigation Report (DBIR):
- Credential theft is behind approximately 45% of data breaches, pointing to widespread weak passwords and successful phishing attacks
- 82% of data breaches in 2021 involved the human element
If CSAM and cybersecurity awareness training were working as intended, the rate of data breaches and other security incidents enabled by an organization’s employees would be declining. This is especially true for security incidents that involve weak and compromised credentials because password security best practices — using a strong password, password manager, and multi-factor authentication (MFA) — are a security control that could actually be implemented during CSAM and protect the rest of the year. Staying safe online and implementing personal security measures are critical steps for employees to take year-round, not just in October. CSAM cannot be truly effective if these principles are only pushed by security programs for one month.
How Can CSAM Improve?
One of the biggest shortcomings of CSAM is its underlying premise. The goal of CSAM is to draw attention to cybersecurity during the month of October. Ideally, this will inspire end users to implement strong cybersecurity best practices, such as using a strong password. However, cyber threat actors operate year-round, not just in October. Many of the types of security training provided during CSAM will produce short-term outcomes that are not integrated into an employee’s daily habits.
For example, an effective anti-phishing training program will educate employees on the latest techniques and pretexts used in phishing attacks. However, these are constantly changing. In October 2019, no one would have been training employees on COVID-19, one of the top pretexts used only a few months later. Phishers follow current events and are constantly evolving their techniques.
Focusing on cybersecurity awareness training only one month a year limits the efficacy of the training. Instead, organizations should aim to integrate a security mindset into their culture. While it is important to incorporate basic security awareness into training programs, organizations need to take a step further. In order to have a truly effective security program, it is essential for security leaders to create a culture that encourages employees to develop a security mindset. Employees with a security mindset will always be on alert, actively seeking out and identifying potential threats. With a security focused organizational culture, security training will remain successful year-round, not just during CSAM.
How MorganFranklin Can Help
CSAM is a great time to kick off new cybersecurity initiatives and rekindle interest in cybersecurity. The information shared and awareness created during this month is valuable for both organizations and end-users. However, thinking of cybersecurity only once a year, quarter, month, etc. isn’t effective. Cybersecurity awareness training needs to be ongoing, up-to-date, and engrained into the culture of an organization to be effective.
Developing, deploying, and sustaining an effective cybersecurity awareness training program can be difficult. MorganFranklin advisors can help your organization to craft a cybersecurity awareness program that provides visibility into current cyber threats, uses techniques that engage users and boost retention, and runs year-round, not just in October.
