IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Where Next After National Cyber Security Awareness Month?

As we wrap up another National Cyber Security Awareness Month and head into a new decade, it’s time to look back and forward to ask what it will take to move the cybersecurity action needle in America?

superhero-534120_1920
Quick: What is the theme of this year’s National Cyber Security Awareness Month (NCSAM)? 

If you said: “Own IT. Secure IT. Protect IT” — Congratulations! You have passed the one-question quiz. You also represent the less than 1 percent of Americans who are truly champions for cyberhygiene and leading the charge to help others stay safe online in meaningful ways.

On the other end of the scale we find the majority of Americans who neglect cybersecurity basics. According to a survey highlighted in PC Magazine from earlier in 2019, even after more than a decade of urgings, warnings, security awareness months, enterprise security awareness campaigns and more, most individuals are getting a D-rating (grade) when it comes to cyberhygiene.

“The survey of 10,000 US adults (200 from each state), conducted in February in partnership with Wakefield Research revealed that most Americans are ‘overconfident’ about their cybersecurity posture. Nearly nine out of ten respondents (88 percent) said they believe they are taking the appropriate steps to protect themselves from cybercrime. In reality, just 10 percent are. …”

But before we take a big step back and look at why we are where we are (and the possible future online in the 2020s), we need to give credit where credit is due. My good friend Kelvin Coleman, who is the executive director of the National Cyber Security Alliance, and his team and partners are doing a very good job (again) of getting the word out on cyberprotections and cybersafety. The list of announcements, events and continuing opportunities for National Cyber Security Awareness Month (NCSAM) was again impressive this year. Likewise, the number of public- and private-sector participants continues to grow.      

To offer a few examples, the White House again issued a Presidential Proclamation on Cyber Security Awareness Month. President Trump’s words are clear and well written. Here’s an excerpt: “As we continue working to fortify our country’s cybersecurity infrastructure, it is imperative that all Americans use best practices in online security. During National Cybersecurity Awareness Month, I urge all citizens to spread awareness on ways they can mitigate risks, safeguard personal and professional data, and contribute to the safety and prosperity of our Nation. …”

Universities, like Princeton University, were/are also all-in regarding NCSAM. In a similar way, the FBI made it a top website topic.

Numerous Fortune 500 companies continue to offer global programs and security awareness events. In January of this year, I highlighted one such effort at Lear Corporation, which focused on what they did in October 2018. I am told by trusted partners that their events were even better in 2019.

The Center for Internet Security (CIS) highlighted cyberawareness again this month with the Multi-State ISAC offering their annual free toolkit to state and local governments and others.

Recap on NCSAM

So how did this all begin?

First, the 15-year history of this issue has many exciting chapters and bipartisan support. Here’s what the Stay Safe Online website says:

“National Cybersecurity Awareness Month (NCSAM) was launched by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) in October 2004 as a broad effort to help all Americans stay safer and more secure online.

When NCSAM first began, the awareness efforts centered around advice like updating your antivirus software twice a year to mirror similar efforts around changing batteries in smoke alarms during daylight saving time.

Since the combined efforts of NCSA and DHS have been taking place, the month has grown in reach and participation. Operated in many respects as a grassroots campaign, the month’s effort has grown to include the participation of a multitude of industry participants that engage their customers, employees and the general public in awareness, as well college campuses, nonprofits and other groups.

Between 2009 and 2018, the month’s theme was “Our Shared Responsibility.” The theme reflected the role that we all — from large enterprises to individual computer users – have in securing the digital assets in their control.

In 2009, DHS Secretary Janet Napolitano launched NCSAM at an event in Washington, D.C., becoming the highest-ranking government official to participate in the month’s activities. In subsequent years, leading administration officials from DHS, the White House and other agencies have regularly participated in events across the United States. …”

Along the way, I remember the “buzz in the air” and the call to cyberaction from the remarks of Secretary Janet Napolitano, who came to Michigan in 2011 to launch NCSAM nationwide at our Michigan Cyber Summit. 

The agenda was packed with featured speakers including:

— Michigan Governor Rick Snyder

— Howard Schmidt, White House Cybersecurity Coordinator and Special Assistant to the President

— Congressmen John Dingell, Mike Rogers and Hansen Clarke.

In addition to our public-sector leaders, the lunch keynote presentation by Richard Stiennon offered an informative and thought-provoking global view on cyber.

The afternoon breakout panels in five tracks contained participants that are generally tough to get as keynote speakers for other events — with senior execs from Facebook, Microsoft, Google, Symantec, AT&T, Comcast, Unisys, IBM and many others.

That event led to numerous other cyberinitiatives and new ideas being implemented that were recognized by FEMA and have been taken up by governments all over the country. These include ideas like creating a cyber-range, cyberdisruption response plans/strategies, and a state cybercivilian corps.

We were ready to change the cyberworld, and we did do many direction-changing cybersecurity projects.  

There are plenty of other great moments in the brief history of NCSAM all over the country. Besides local government or corporate events, there are an abundance of online webinars and live-streamed events to participate in each year.

In 2017, we examined why NCSAM mattered as much as ever before, and the value of the month and events isn’t going away anytime soon. In fact, many companies now celebrate NCSAM all over the world, and other countries have adopted October as the month to get your cyberhouse in order.



Where Next for Cybersecurity Awareness?

Nevertheless, some readers are likely thinking: Haven’t we seen this cyber movie before? Why are the cyberhygiene numbers at the start of this blog so stubbornly low?

No doubt, the majority in America still don’t even know that cyberawareness month even exists.

As a test, I googled: “October Awareness Month.” The top results were:

Breast Cancer Awareness Month

 Worldwide

  Currently Running

Down Syndrome Awareness Month

 United States

  Currently Running

Healthy Lung Month

 United States

  Currently Running

Liver Awareness Month

 United States

  Currently Running

 

So as another version of National Cyber Security Awareness Month (NCSAM) draws to a close, I inevitably ponder a series of additional questions regarding the Internet, cybersafety and where we are improving or failing as public- and private-sector entities regarding cybersecurity in our nation.

Questions that go well beyond one month or one launch or one big event.  

Questions like: Are we make a lasting difference? Really? What is working best and what isn’t working?

How can we do better? Where are we succeeding and failing as individuals, families, enterprises and society? What emerging online risks are coming next that we need to prepare for?

In my opinion, we are not lacking industry articles on these security awareness topics or getting security culture change. Do we need a name change when it comes to security awareness training?

But just as celebrating the Thanksgiving holiday with an extra nice meal does not automatically make one thankful, so celebrating NCSAM has never been the ultimate goal.

Bottom line: Is this the best we can do? What’s next that can turn the tide of ransomware stories, cybercrime and online protections for the world?    

Some are advocating for us to all go on the attack and become cybervigilantes. But I have real concerns with everyone hacking back. Attribution is very hard online, and I fear that, if we go this direction as a society, the future will become like the current gun debate in America.  

I could list other potential approaches, but I’d like to hear from you: Where do we need to go in the 20s? What more can we do? Scratch that — WHAT MORE MUST WE DO?

Please reach out via LinkedIn or Twitter to share ideas and discuss this topic with others in the industry. One thing I know, we need to do better, because challenges are getting worse in cyberspace. As my high school football coach taught me, you can’t keep doing the same things and expect a different result.

Note: I will be posting this blog in multiple LinkedIn forums such as the Information Security Community, so please share your perspective and ideas.

Final Thoughts

It is easy to get discouraged when it comes to cybersecurity, cybersafety, security awareness and more. The daily deluge of data breaches and technology failures can get anyone down over time.

Nevertheless, we must stay positive. Lasting cybersecurity pros know this, and persistence, vigilance and resilience are certainly required for the next decade.

The Wall Street Journal just ran an article saying it’s time for a Web reboot.

Other industry experts offered this Better Cybersecurity Coalition prescription for online improvements in cyber.

But perhaps the hardest part, even with helpful cybersecurity industry changes being implemented, is that our significant security awareness challenges inevitably get very personal.

The New Yorker ran this article on how to break bad habits, with research saying that relying on will power is hopeless. Instead, we must find strategies that don’t require us to be strong. (Read the first paragraph to get the gist of the challenges we face in changing habits.)  

In my view, our mindset needs to remember John F. Kennedy’s famous words:

“Ask not what your country can do for you — ask what you can do for your country.”

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.