What’s the point of the Cybersecurity Awareness Month?
Date: 11 October 2021
Cybersecurity awareness month is celebrated every October but for us at Cyber Management Alliance, every day is cybersecurity awareness day! In that spirit, we cover some of the most essential aspects of cybersecurity awareness in this blog. What you can look forward to reading is:
Stop saying Don’t! Now!
We need to get this off our chest so let’s tackle this first. We are sick and tired of saying:
- Don’t open the email
- Don’t click the link
- Don’t share your password!
- Don’t open the file!
- Don’t blah blah blah blah
If the ‘Don’t Do this’ awareness message worked, there would be global peace! Seriously. Humans will make mistakes and to get a bit religious for a second, to err is human.
Your staff needs to know that it’s ok to make mistakes and even more importantly they should own up to their mistakes without fear of punishment! Not easy, but really important.
We discuss this in more details in our UK Government’s NCSC-Certified Cyber Incident Planning & Response (CIPR) public and internal workshops.
Is the Human Still Relevant?
The obvious answer is yes! You may have read this cliché many times over; however the human plays a critical role in ensuring that a cyber attack is not successful. So, the answer is still a loud and resounding yes.
Although technology is equally important, the human mind plays a crucial role in detection and response. No matter what people say about automation and artificial intelligence, human involvement, at least for the next several years, maybe decades, is still relevant. Hence the importance of the Cybersecurity Awareness Month.
So what is the secret of becoming a mature, cyber resilient organisation? Read on.
Cybersecurity Awareness & Resilience - What’s the Link?
Cyber Management Alliance Ltd is very successful in making our clients fully cyber-resilient, enabling them to protect against known threats and rapidly detecting, responding and recovering from advanced cyber-attacks.
So what’s the secret to a mature, cyber resilient organisation?
Let’s start with a couple of DON'Ts.
- Don’t bore the human to sleep with powerpoints. Please. Seriously Don’t. You are NOT going to raise an individual’s cybersecurity awareness by useless and ineffective PowerPoint presentations.
- Don’t assume MONTHLY phishing emails are the solution to raising awareness.
- Don’t, PLEASE don’t solely rely on animations and/or video clips to raise cybersecurity awareness in humans. They do play a role, yes. But are they enough? No.
Conduct Cyber Tabletop Exercises.
We cement and embed cybersecurity awareness at every organisational layer by deeply engaging with the human and one really effective method we use is conducting carefully planned, professionally delivered cyber tabletop attack simulations designed for senior executives, management and technical teams. We call this Cyber Crisis Tabletop Exercise (CCTE).
Nope, internally conducted tabletop exercises are not that successful. Trust me. Most of our Cyber Crisis Tabletop Exercise clients have already conducted internal tabletop sessions and they now call us back for repeated sessions.
Target the executive branch
Why? Because they are the decision-makers. But equally importantly, they are privileged users. In many cases the executive branch has the privilege to access a confidential file or the privilege to approve a salary. You get the point.
Another Cliché - and again, very true. Change starts from the top. If the CEO doesn't understand and hence doesn't care about cybersecurity, the rest of her/his cohort is going to follow suit.
We use our Executive Briefing and Awareness Sessions (EBAS) to tackle this challenge head on. No boring PowerPoint presentations - human to human, carefully planned, deeply engaging 45 - 60 minute sessions with the CEO, the CFO, COO, CMO, legal and other executives.
Our clients for EBAS include Councils, Banks, Wealth Management, Health, Pharmaceuticals and retail, amongst other sectors.
Extra Love and Care for the Privileged User!
Yup. Super important. The next thing we recommend you do in this month of cybersecurity awareness and then continue doing it regularly is ensuring that you educate the privileged technical user.
This is not giving them a technology lesson. Neither does this mean teach them how to operate technology. This is about sitting, face to face or via Zoom or Microsoft Teams, with them to ensure they understand their responsibility.
Remember the privileged user (more importantly their credentials) can cause catastrophic damage to your cyber security posture, your business operations and in many cases they can pretty much bring a business to its knees.
What does tackling the privileged user mean?
- Sit down with them and explain your concerns.
- Sit down and listen to their human side. Yes. Techies are humans too.
- Do the same with HR admin, salesforce admin, CRM admin.
Whoops, I messed up. Sorry.
We strongly recommend you sit down with key people from finance, HR, system admins and tell them ‘it's okay to admit you've made a mistake!’.
Why is this relevant?
As we’ve discussed in the beginning, people are sick and tired of being told to not open any emails or click on links.
The message you need to share with critical people like finance folks who love macros is this - It’s ok if they open a macro from an unknown source. They should let you know. For IT people who control your digital operations, it's okay for them to make a configuration mistake.
It's a difficult balance, yes, but imagine if someone made a mistake which caused a major outage and you have no idea how it happened.
You want to be able to allow the admin and give them the space to admit the configuration error.
Coming back to the original question we started this blog with - Is the Cybersecurity Awareness Month a pointless exercise? Absolutely not. If it were, we wouldn’t be doing what we do!
Like every other commemorative month/day/week, the idea is simply to turn the conversation back to the subject, put it under the spotlight and reassess your relationship with the subject being commemorated - in this case you’d be reassessing where your organisation stands in terms of its security posture.
It’s a great occasion to evaluate how aware your staff, executive and privileged users are of their responsibilities towards cybersecurity and looking at the best possible ways to plug any gaps. Reach out to us for more information.
Check out our NCSC-Certified Cyber Incident Planning & Response Course.
You might also be interested in reading all about our Cyber Crisis Tabletop Exercises and how they can help your organisation.