National Cybersecurity Awareness Month is Over... Now What?

NCSAMSocialsAs we wrap up the 2019 National Cyber Security Awareness Month (NCSAM), let’s all agree that our work is not done. As a matter of fact, it’s far from being done. If we are really honest with ourselves, I would even go so far as to say that we have continued to lose ground in the battle against cyber criminals. Why would I say such a thing? Well, it’s the simple truth.

Year after year, the losses become greater, the impact of cyber attacks becomes more significant and thanks to countless breaches, our private data becomes less private. Remembering back, my first memorable cyber incident was the “Melissa” virus back in 1999. This was a mass-email virus spread in a Word Macro that sent itself to the first 50 contacts in Outlook. I was in a hallway meeting with my coworkers when all of our 2-way pagers (yes, I’m that old) all went off at the same time. After reading the first couple of lines of the message, I made a run for the Exchange server and unplugged the network cable.

While the virus was not particularly damaging in itself, the load it put on my server caused it to crumble like a tower of Jenga blocks, which in turn, caused a ton of file corruption and sent me to the backup tapes. Between restoring the server and cleaning up the queued messages on the endpoints, I ended up spending about 26 hours fixing the issues. I thought it was bad. It felt like it was really bad.

Compared to the things we are seeing today, that was a just minor inconvenience.

So, with the stakes so high and the losses only getting worse, it’s time to admit that we are not making much progress. As much good as NCSAM does, it falls short in the same way that a single training event falls short of making a person an expert. Some people may learn a couple of things and they may even be a little more secure for a while, however like a compliance check mark ticked off once a year, it doesn’t make things better.

There, I said it. Does this mean we are destined to fight a losing battle? Should I avoid buying green bananas? Of course not, but we do need a different strategy if we want to make a real difference. This means that we need to not only bring awareness to people, but also to change behavior. One of my favorite lines comes from a slide deck I pilfered from my colleague, Perry Carpenter. The slide says, “Just because I am aware, doesn’t mean I care.” That’s a truth that is hard to argue and one we need to remember.

If we really want to make a difference in this world, we need to get a message across that is more than just making people “aware”. We need to make them care, and this in turn will impact their behavior. The good news is, I am seeing a significant shift in this mentality just in the past few years. This is becoming very apparent in the security awareness industry as organizations are seeing the significant benefits of moving security awareness programs out of the compliance shadows and treating them as real security initiatives.

This means doing more than stuffing people in a room for an hour once a year and showing them a PowerPoint presentation. It means including training that feels less like training than entertainment, such as our groundbreaking Inside Man series. It means short, focused trainings throughout the year, and it means simulated phishing tests with a gamification element to promote competition and fun.

Shorter training, especially training that tells a story, helps the individual maintain focus and absorb more information than longer, mind-numbing training ever will. Having a story element helps make the training relevant, memorable and if done well, helps tie the associated lesson with a relevant activity in their real world. For example, the story about the Japanese pop star that was tracked down and assaulted by a stalker after finding her train station through a reflection in her pupil posted in a selfie online is often remembered by people I know when taking their own selfies to post online. The action of taking the selfie makes them recall the story, then they look at the selfie more closely and critically, looking for things like this, before posting.  

Likewise, simulated phishing tests act to remind users of what they learned in the training and gives them a chance to practice those skills in a fail-safe environment. Gamifying the results of the simulated phishing tests promotes a sense of competition, which drives a strong behavior around watching for phishing emails. I have seen organizations gamify the test using everything from departmental rivalries to competition for a prized parking spot, trophies, pizza parties or even cash awards for the winners to motivate the employees. Imagination is the key when it comes to this approach, but the results can be amazing.

So, where does that leave us as NCSAM wraps up? Well it should leave us understanding that one month a year to focus on cyber security just isn’t enough. We need to be giving advice, sharing resources and evangelizing around better security practices throughout the year. There isn’t a compliance award for participating in NCSAM, so we shouldn’t treat it like a compliance exercise. Instead, we need to do our part to educate people about scams, tricks and other threats throughout the year while making it relevant and understandable to them. If we can do this, I have no doubt we will see a significant shift in the war against the cybercrime.  

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Anti-Phishing Guide ebook

Get the latest about social engineering

Subscribe to CyberheistNews