Happy Cybersecurity Awareness Month, to those who celebrate. As we discussed last time, this annual event has now been running for 20 years. A lot has changed in the world in those two decades, especially when it comes to technology and cybersecurity.
It’s fair to say cybersecurity has become an ever-present part of our daily lives. The average person must now be constantly aware of malware and phishing attacks. High-profile incidents such as the ransomware strike on the Royal Mail mean that services and brands are being disrupted.
In the business world, security is permanently high on the agenda. Global cyber investment was estimated to be over $219bn this year – more than four times higher than the average spend back in 2003. With all that in mind, it’s safe to say most everyone is aware of cybersecurity. So, is Cybersecurity Awareness Month still relevant? It’s time to move the cyber narrative on to its next chapter: education.
There are a few ways we can achieve this.
Focusing on the human factor
The human element is often the weakest link in the cybersecurity chain, and most attackers exploit this fact. This is not pointing fingers at individuals just trying to do their jobs – user-facing systems are just naturally more vulnerable. Verizon’s latest DBIR estimates nearly three-quarters of attacks involve the human element, including social engineering, human error, and misuse.
While awareness campaigns have done well to highlight general risks, they fall short in addressing the nuanced behavioural aspects that lead to vulnerabilities. Focusing on education around social engineering tactics is crucial.
Organisations must invest in behavioural training to equip employees with the skills to identify and counteract social engineering attempts effectively. There also needs to be more effort in the public sphere to educate users about the most common tactics. This requires collaboration between the cyber industry, governmental bodies, and individual brands to drive the message home.
Educating on specific threats
Cyber threats have become increasingly specialised and targeted, outpacing the general awareness campaigns of yesteryear. With fastmoving and extremely damaging tactics like ransomware and data exfiltration becoming the norm, we need a more specialised form of cyber education.
Enterprises must move beyond basic cybersecurity hygiene to offer more in-depth training in these technical areas. This will not only prepare them for the specific challenges they face but also equip them with the tools to counteract evolving threats proactively. While it’s by no means fair to expect ordinary personnel to shoulder responsibility for these attacks, the more they know, the greater the chance they can help mitigate a serious incident.
— FBI (@FBI) October 15, 2023
Integrating cybersecurity into education sooner
The increasing prevalence of cyber threats makes a compelling case for integrating cybersecurity education into academic curriculum. Starting this education at the school level can lay a strong foundation for future cybersecurity professionals and informed digital citizens.
However, this is not without challenges. Cyberthreats move quickly, and specific knowledge will often be outdated by the end of a semester, let alone the academic year. This means it would be more beneficial to focus education on wider trends and issues – for example, learning about Log4J, but in the context of code vulnerabilities and supply chain threats.
The good news is many countries and agencies, such as the UK’s NCSC are already pushing for a greater focus on cyber education earlier in life.
The #CyberFirst Girls Competition is designed to help girls turn a passion for tech into a career in cyber security. With the chance to win cash prizes, laptops and more, it’s great for schools too.
— NCSC UK (@NCSC) October 17, 2023
Metrics and KPIs for cyber education
Just as businesses measure the ROI of their cybersecurity investments, it’s imperative to evaluate the effectiveness of cyber education programmes. Metrics and Key Performance Indicators (KPIs) can provide valuable insights into the success of these initiatives. For example, tracking the frequency of successful phishing simulations can offer a tangible measure of employee awareness and preparedness. These metrics serve as a feedback loop, enabling organizations to effectively refine their educational programs and adapt to new cybersecurity challenges.
After twenty years of raising awareness, it’s time to move on. Businesses can build a more resilient cybersecurity posture by focusing on the human factor, specialized threats, academic integration, and measurable outcomes. Now is the time to focus on more comprehensive cyber education.