What Cybersecurity Awareness Month is Missing: The Other 11 Months

Tuesday [October 1] marks the start of National Cybersecurity Awareness Month. While the designation is a clever way to highlight the need for greater vigilance in how we use technology, it’s nonetheless ill-advised. Cybersecurity shouldn’t be treated as a flavor of the month. We need to focus on it every day, for a simple reason: humans pose the biggest cybersecurity threat of all.

Today’s cyber threat environment is menacing, and it’s clear that we always need to be in a state of “high alert.” Hackers show no signs of retreat – and are becoming more aggressive and sophisticated. Earlier this year, hackers circulated a tranche of unique usernames and passwords numbering in the billions.

It’s tempting to believe that by developing more robust technology, we’ll be able to put the cyber thieves out of business. If only that were true. While security technology is much better than it was even just a few years ago, it nonetheless contains one major liability: it’s often only as good as the humans who use it.

Consider the disclosure in late July of a breach at Capital One, which affected about 100 million individuals in the United States.  According to a Justice Department filing, the malicious actor, a Seattle hacker, breached Capital One through a misconfigured firewall caused by human error. The hacker was able to exploit that misconfiguration.

In August, Facebook reported that it left a database containing 419 million records unprotected, without a password.  As we examine the major breaches over the last several years – Target, Home Depot, Sony, Equifax – their initial point of vulnerability was access stemming from weak authentication; in other words, passwords that could be hacked.

These events, and others like them, are a reminder that while we can reduce and manage the number of cyber incidents, it’s unlikely we’re ever going to eliminate them.  There are simply too many cyber bandits, and many of their weapons ultimately prey on the area of greatest vulnerability: human behavior. For example, more than 90 percent of all corporate breaches are a product of phishing emails.

That’s the backdrop to what the head of information security at a global infrastructure company recently told me. He said his top priority is not acquiring the latest and greatest cybersecurity technology. Instead, it is educating his workforce. He recognizes that employees are the most vulnerable access point for a breach. He has engaged the CEO, who regularly delivers company-wide messages that everyone at the company needs to be focused on regarding cyber protections.  He also works with his human resources department to incorporate cybersecurity education into employee on-boarding.

That’s a smart strategy. Companies need to focus on human behavior and make it the foundation for a reliable, powerful culture of security. Doing so will lead to an increased return on investment in technology by developing an educated and informed workforce.

Companies also need to recognize that a key component of security is resilience – and resilience does not mean rebuilding what you had, but learning from experiences, threats, breaches, so that you build into the future. Natural disasters provide a useful point of comparison. While the United States often rebuilds to the same specs as pre-disaster, the Dutch rebuild to withstand an event greater than the one that wreaked havoc in the first place. A similar approach should be taken for cyber events. Infrastructure should be developed to withstand anticipated future threats and events, based on what you have learned from your breaches.

Along the same lines, companies should measure cybersecurity success not just by the attacks they block. They should follow the lead set by a global financial company, where the head of information security recently told me that her main metric is not what her company prevents, but how effectively the company responds after a breach has occurred. Similar to the impact of natural disasters, the effects of a breach can play out over days, weeks, months, and years. Therefore, the effectiveness of a company’s response can be the difference between a demonstration of failure and a demonstration of preparedness, resilience, and success.

The good news is that companies have a growing awareness of the importance of their cybersecurity.  But there is a still a long way to go and a clear need to invest more in cybersecurity training, education, and awareness of employees.  Companies need to ensure that everyone understands how one simple human mistake can put the entire company’s network at risk. Creating a culture of security should be a top corporate priority because cybersecurity is critical to the mission of every company, regardless of the primary functions of that company.

Human behavior is the foundation for security. That message needs to be delivered – and acted on – not just this month, but every month.