Fall is a time defined by yearly rituals. For some of us, that means breaking out our favorite knit sweaters, indulging in pumpkin-flavored everything, or — in the immortal words of George Costanza — “shifting into soup mode."
The information security world has its own autumnal observance: National Cybersecurity Awareness Month (NCSAM), promoted each October by the Cybersecurity & Infrastructure Security Agency (CISA). To kick off the 2021 edition, we're overviewing this year's themes and providing some ideas to help security professionals make the most of a whole month devoted to their practice.
What's it all about?
The stated goal of NCSAM is "to raise awareness about the importance of cybersecurity across our Nation, ensuring that all Americans have the resources they need to be safer and more secure online." Given the growing threat of ransomware and the increased prevalence of high-profile, high-impact data breaches, this year's installment serves as a much-needed call to focus our collective efforts on security issues.
The numbers bear out the need to shift our combined attention toward security. A stunning 18.8 billion records were breached in the first 6 months of 2021. That's 2.37 records per individual person living on planet Earth today. In the first half of this year. And of course, these are just the statistics for reported breaches.
We live in a time when digital security is everybody's business — so it may come as no surprise that CISA's goal with NCSAM is correspondingly broad and user-centric. The weekly themes for NCSAM 2021 are all about generating smarter and sturdier end-user awareness:
- Week 1 (10/4-10/10): Be Cyber Smart
- Week 2 (10/11-10/17): Phight the Phish!
- Week 3 (10/18-10/24): Explore. Experience. Share. – Cybersecurity Career Awareness Week
- Week 4 (10/25-10/31): Cybersecurity First
These themes reflect important priorities for cybersecurity awareness. More than 1 in 3 data breaches involves phishing, after all. And given the deepening cybersecurity skills gap, we can all appreciate the push to encourage more people to pursue careers in infosec.
That said, CISA's focus with these themes is to spread awareness of security concepts among non-expert end users. If you're an infosec professional, what does NCSAM mean for you?
A practitioner's approach
For cybersecurity and IT pros, NCSAM presents an opportunity to ensure the non-technical team members at your organization have the basic knowledge and tools they need to maintain security best practices in their day-to-day business activities. October is a good time to:
- Remind employees how to spot phishing attacks, and explain what to do if they believe they've received a phishing email
- Ensure universal adoption of two-factor authentication for accessing company applications
- Emphasize the importance of consistent OS and application updates to keep patches up to date
- Hold a review session of your company's acceptable use policy for devices, and allow users to ask questions
CISA has put together a wealth of resources that you can use throughout National Cybersecurity Awareness Month to spread security knowledge across your organization. They include ideas for having these conversations with everyone from individual team members to C-level stakeholders and even customers.
Of course, fall is also about transitions — soup-appropriate temperatures are a reminder that winter's coming and there's a new year ahead. That means NCSAM is also a great opportunity for infosec practitioners to reflect on the successes and challenges of 2021 and consider what next year's cybersecurity priorities will look like.
Throughout October and into the holiday season, we'll be publishing a range of content about how to prepare your cybersecurity program for 2022. We'll cover topics like:
- Moving toward cybersecurity maturity as an organization
- Tackling the ongoing threat of supply chain risk
- Considering a zero-trust model for your organization
- Embracing a security-first culture and getting executive buy-in
Check back with us throughout this month and through the end of the year for more content on these and other cybersecurity planning topics to help you get ready for 2022.