Cyber Security Awareness Month, in Europe and the US, is part of a broad effort to help people stay safe and secure online. The initiative was launched in 2004 in the US and 2012 in Europe. This year the US event focused on “See Yourself in Cyber”. In Europe the effort promoted phishing and ransomware awareness.
We are obviously supportive of any efforts to support cybersecurity awareness. People are the weakest link in an organisation’s security efforts. Teaching them simple steps they can take to protect themselves online is important. It is still far easier for an adversary to trick someone into revealing a password or click on an email link than it is to penetrate a well-protected network. Good cyber security awareness can protect organisations from financial losses, compliance penalties, and reputational damage.
Yet, after years of events around an annual “Awareness Month,” exploiting poor cyber security awareness remains the primary attack vector in data breaches.
The 2022 Verizon Data Breach Investigation Report found that 82% of breaches in the previous year involved social engineering and phishing click rates continue to rise. Once attackers gain a foothold, they can establish command and control channels, move laterally to identify target data, encrypt data for ransomware demands, or steal sensitive information.
Cyber Security Awareness “Month”?
So yes, we support Cyber Security Awareness Month. It brings needed attention to a problem we have worked on solving for years. It may prompt some organisations to take their first steps to improve security awareness in their workforce or make their existing programs stronger. We just object to treating cyber security awareness as an annual event.
Learning is not a one-time event. One does not learn to speak a new language or play a musical instrument by focusing on the task once each year. The same is true for recognising and avoiding cyber security threats. Learning to do any of these takes time and repetition.
When training sessions are events held once or twice each year to meet compliance requirements, students do not retain knowledge. The famous Ebbinghaus Forgetting Curve shows that students forget over 75% of a lesson in the first week alone. By the end of a month students retain only 21% of the lesson.
Building Employee Awareness
Teaching is a process, not an event. This includes teaching cyber security awareness. Studies show that the downward slope of the Forgetting Curve can be reduced with regular reinforcement of the lessons. These reinforcements need not include all the information from the lesson. The goal is to keep the learner thinking about the material and putting it to practical use.
Building a Cyber Awareness Culture
Cyber security awareness “month” can seem like a gimmick. An effective cyber security awareness program must be practiced 12 months of the year using a variety of tools and techniques.
eLearning lessons are certainly part of any successful program, but teams should reinforce lessons regularly through reminders, phishing simulations, micro-lessons, screensavers, and posters. Lessons should be geared to the different threats facing an organisation.
Training for finance teams should be tailored to the specific threats within the department. IT organisations must be alert for privileged credential theft. Everyone requires ongoing training for phishing and ransomware attacks.
A cyber security awareness program is an important part of an overall risk assessment. Those responsible for awareness programs must be able to track progress through reporting and initiate corrective actions where risk remains in the organisation. If individuals or teams score poorly on training, remedial training should be automatically scheduled.
Most importantly, organisations that are committed to cyber security awareness and online safety recognise the need for executive support. Regular messaging directly from senior leadership about the need for cyber security hygiene – and why it is a priority for the business –helps build a long-lasting security culture.