Few people overtly oppose Cybersecurity Awareness Month, though you wouldn’t know by looking at Twitter.
The most common complaints fall into two main categories, the first being organizational: There’s just too much going on at once. Dustin Volz, a Wall Street Journal reporter, pointed this out on Twitter on Oct. 6, writing, “At least four DC-based cyber conferences happening today, with many of the same speakers rotating through. Some made news, but easy to get lost in the cacophony of noise. Most recycle exact same talking points to largely overlapping audiences. Who is this serving?” The investigative journalist Kim Zetter made a similar observation, concluding that “October becomes cyber fatigue month.”
The other category of criticism is more cynical. It’s not just that Cybersecurity Awareness Month is poorly implemented at times, but that it’s a become a bit of farce: just more box-ticking from the bureaucrats while the threat of disruptive cyberattacks gets worse. Cybersecurity is too important, these critics argue, to be crammed into a single month. As NBC cybersecurity correspondent Kevin Collier tweeted, “November 1, Cybersecurity Ignorance Year resumes.”
‘It’s not for you’
Lisa Plaggemier, the interim executive director of the National Cyber Security Alliance, which launched Cybersecurity Awareness Month in 2004, told StateScoop that while many of these objections are valid, the critics are missing an opportunity to contribute in constructive ways — like speaking about cybersecurity at their local grade school, for example.
“I have seen some grumpy security professionals on Twitter who are saying they’re kind of tired of Cybersecurity Awareness Month,” Plaggemier said. “But my answer there is that it’s not for you. You’re not the intended audience. This isn’t about raising awareness among security professionals. It’s for everybody else. It’s for people like my mom, it’s for people like my kids. And if you’re tired of it, it’s actually because you’ve been paying attention. But the vast majority of people aren’t paying attention.”
The NCSA recently published a study showing that nearly half the public has never heard of multi-factor authentication. But the upside is that the technology is sticky: About 90% of those who use it once continue using it, the study found. Plaggemier, who’s worked in marketing at Ford Motor Company and CDK Global, said that if you’re sick of hearing about cybersecurity, that means the campaign is working.
‘Top-down executive sponsorship’
While Plaggemier promotes Cybersecurity Awareness Month as useful programming with some caveats, many government officials’ relationship with the observation borders religious adherence. It’s not surprising as “awareness” aligns closely with government’s mission of setting policies and encouraging shifts in “culture.”
California Chief Information Security Officer Vitaliy Panych told StateScoop he likes the month because it gives government and the cyber industry an opportunity to rally around a consistent narrative and set of facts. The White House’s proclamation this year notes that ransomware attacks have delayed essential services, “putting the lives and livelihoods of Americans at risk,” as cyberattacks hit everything from mom-and-pop shops to hospitals and critical infrastructure.
“It provides this high-level, top-down executive sponsorship and recognition that, hey, everybody — from a general constituent user, resident to a business owner to a network operator to a department — needs to be vigilant and aware,” Panych said. “Everybody has a stake in protecting not only themselves but everyone they interact with in the cyber realm.”
Panych said a lot of things like this — exactly the kinds of obvious warnings that cybersecurity professionals are tired of hearing — but he also returned some criticism back to the industry, highlighting just why the month is needed.
“Our industry is highly focused and targeted towards securing the enterprise,” he said. “Small and medium-sized businesses are underserved. They’re struggling. Even public sector organizations are struggling that are small, underfunded organizations.”
He also pointed out that many older people and people who speak English as a second language fall victim to scams and phishing attacks. (Panych, who immigrated to the United States from Ukraine when he was six years old, said he’s seen this in his family.) In so many words, he was echoing Plaggemier’s point: If you’re tired of hearing about cybersecurity awareness, it’s because it isn’t for you.
‘Look at the hard data’
As for the charge that Cybersecurity Awareness Month is an empty gesture, Panych said responsibility falls on each organization to plan meaningful efforts that persist throughout the year, so cyber hygiene reminders don’t fade like a New Year’s resolution that’s forgotten before Valentine’s Day.
Some organizations are just “checking a box” and doing “next to nothing,” said Tim Crothers, senior vice president and chief security officer at the cybersecurity firm Mandiant. But others, he said, take it “super seriously and get a lot of value out of it.” Mandiant, incidentally, uses October as a chance to loosen up its internal, biweekly phishing exercises by introducing Halloween themes. Crothers said most of the people who work there are already “aware” and that their phishing exercises, held year-round, are notoriously challenging.
But even for those inured to the threat of cyberattacks, October can be a chance to take stock of what’s been happening and “break out of the miasma,” Crothers said. Some have suggested switching to a quarterly or monthly awareness day or weeklong format, but in every case, there’s broad agreement that pounding the public with cyber scares every day is untenable. No one has the attentional bandwidth to exert the appropriate amount of concern about every worthy cause in every moment, so October it is.
But the most important fact in the discussion about cybersecurity awareness, Crothers said, whether you’re annoyed with the special month or not, is that cyberattacks are continuing to rise.
“Let’s just look at the hard data,” he said. “There are more breaches year on year. In 2021 already we’ve surpassed 2020 and that shows no signs of stopping, so until we manage to turn that corner and figure out how to defend better, [Cybersecurity Awareness Month] won’t go away anytime soon.”
Ban the hoodie hacker
If October is to be cybersecurity overload month in perpetuity, then how can government and industry make the most of it? Plaggemier said the industry should recognize that spreading fear, uncertainty and doubt only makes people disengage. NCSA’s behavioral research shows that equipping people with knowledge and capability isn’t enough — they need motivation, too.
“If it was up to me, we would ban all pictures of hackers in hoodies and binary floating across the screen and pictures of skulls and crossbones,” Plaggemier said. “All that garbage, we would just get rid of all of it. To me, that’s not motivating. Security folks are usually glass-half-empty people and we have to realize that not everybody sees all the stuff we see every day. We have to do a better job of communicating and relating to the public.”
And though it may not be anytime soon, Crothers said he thinks the month could be retired someday.
“I do feel like in conversing with my grandkids, for instance, they definitely have a more innate sense of a lot of these concepts,” he said. “They know for instance a root cause of a lot of the phishing success is people predominantly still seem to automatically trust email and aren’t maybe as skeptical as ideally they would be. That feels like maybe the start of something.”