Cybersecurity Awareness Month: Has it Made an Impact?

Each October, cybersecurity professionals and enthusiasts around the world unite to observe Cybersecurity Awareness Month. This annual campaign, which began nearly two decades ago, serves as a crucial reminder of the ever-present need to protect our data and infrastructure against threat actors. In this article, we'll take a into how it started, its message, and most importantly its impact on cybersecurity. Has Cybersecurity Awareness Month increased our cybersecurity awareness?  

The Inception of Cybersecurity Awareness Month

Cybersecurity Awareness Month, often abbreviated as NCSAM (National Cybersecurity Awareness Month), originated in the United States. It was first launched in 2004 by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security (DHS) as a response to the escalating threat landscape in cyberspace. The primary goal was to educate individuals, businesses, and government entities about the importance of online safety and security. 

Over the years, this initiative has gained global recognition and participation, transcending national boundaries to become a truly international event. In 2012, the European Union Agency for Cybersecurity (ENISA) officially joined the campaign, further cementing its status as a global cybersecurity event. Many nations now have their cybersecurity awareness initiatives aligned with the global observance of Cybersecurity Awareness Month.  

Each year of the campaign brings a new theme, emphasizing different aspects of cybersecurity, and this year's theme is ‘Secure Our World’. Cybersecurity Awareness Month 2023 is promoting four simple steps to help users stay safe online. Their website states “By learning the four simple steps we can take to stay safe online at home, work and school, and sharing these tips with our community, we can all become significantly safer online.” These steps include: use strong passwords, turn on MFA, recognize and report phishing, and update software.  

A significant hallmark of Cybersecurity Awareness Month is its collaborative approach. Public and private sector organizations, cybersecurity firms, educational institutions, and government agencies join forces to promote cybersecurity awareness. This synergy has been instrumental in enhancing the campaign's reach and therefore hopefully it's impact. 

4 Reasons Why Cybersecurity Awareness Month Matters

• Raising Cyber Literacy: In an era where digital literacy is as crucial as traditional literacy, Cybersecurity Awareness Month serves as an annual check-up on the public's cyber literacy. It empowers individuals to make informed decisions about their online activities.
• Risk Mitigation: By promoting best practices and highlighting emerging threats, the campaign helps individuals and organizations identify and mitigate potential risks before they turn into serious cybersecurity incidents.
• Adaptive Awareness: As cyber threats evolve continually, so do the strategies to combat them. Cybersecurity Awareness Month serves as a platform to educate the public about the latest threat landscape, ensuring that cybersecurity knowledge remains up-to-date.
• Cyber Resilience: With the growing sophistication of cyber threats, organizations must build cyber resilience. The campaign educates businesses and governments on the importance of having robust cybersecurity policies and incident response plans in place.

Has Cybersecurity Awareness Month Made An Impact?

On a very recent call with a CISO from a multinational organization, I was told how Cybersecurity Awareness Month had failed. Upon pressing for reasons why, the CISO said “we are still making the same stupid mistakes we were 20 years ago”.

This is in reference to tactics used by threat actors to gain access to organizations systems and data remaining relatively similar today as they were 20 years ago. Two base reasons for a significant number of major hacks in the last two decades remain the same. They are either low employee cybersecurity awareness, or poor cybersecurity management.

Cases of low employee cybersecurity awareness include the creation and use of weak passwords that are easily hacked (Northern Irish Parliament breach in 2018) or how they clicked on links or attachments in phishing email campaigns (Yahoo breach in 2013).

Poor cybersecurity management lead to large data breaches, such as software being left unpatched and therefore not updated to counter threats (Equifax breach in 2017) or MFA not being deployed (Timehop breach in 2018). “The breach occurred because an access credential to our cloud computing environment was compromised. That cloud computing account had not been protected by multifactor authentication." 

These data breaches could have been avoided by following with the four steps provided by Cybersecurity Awareness Month in 2023 to improve cybersecurity; strong passwords, turn on MFA, recognize and report phishing, and to update software.

So has Cybersecurity Awareness Month made an impact? You could argue that due to the wide spread coverage it has helped reinforce and create a better culture of cybersecurity awareness, although if you speak to others, it hasn’t made enough impact. We are still making the same mistakes in 2023 as we did in 2003.

Figures and statistics show a significant increase in data breaches, however, this is hard to attribute directly to a failure in employee cybersecurity awareness or cybersecurity management, as the number of threat actors and campaigns against organizations has also increased. In the first half of 2023 alone, the number of email-based phishing attacks against small and medium-sized businesses surged by 464% compared to the previous year.

The Impact of Cybersecurity Awareness Month   

Cybersecurity Awareness Month has played a role in promoting cyber literacy and fostering a culture of cybersecurity vigilance. By emphasizing key principles like strong passwords, multi-factor authentication, recognizing and reporting phishing, and updating software, the campaign has armed individuals and entities with valuable knowledge to defend against cyber threats. You can download their 2023 Resources and Partner Toolkit here. 

However, in 2023, the question lingers: Has cybersecurity awareness increased  enough to make a significant impact in reducing cybercrime? The persistence of certain attack vectors, like weak passwords and unpatched software, suggests that more work is needed. The dynamic nature of cyber threats means that the battle against cybercrime is ongoing, with a surge in both threats and sophisticated campaigns.