It’s October and it means that we are having the European Cybersecurity Month again. ECSM is the European Union’s annual campaign dedicated to promoting cybersecurity among EU citizens and organizations. To be completely honest, I do not remember it being much of a thing in previous years, but apparently, in 2020, cybersecurity awareness is much more important for the European Commission and not without, ahem, a very big reason.
I have always had mixed feelings about the whole notion of “awareness”. On one hand, raising awareness is basically what we analysts do on a daily basis: spreading the word about new security challenges and innovative products that solve them is a major part of our job. On the other hand, it does not really help, does it? We still hear about major data breaches and ransomware attacks every day: I suspect that many people have long become completely desensitized to that news. Well, perhaps learning about the first death of a patient in a clinic hit by ransomware (in my city of all places!) was a notable and unfortunate exception…
So, what are we doing wrong? Are we not putting enough effort into cybersecurity awareness? Should we do it differently somehow? I wish I had a clear-cut answer to these questions… Alas, I don’t think anybody does. However, there are several points we could address. First and foremost, cybersecurity culture should obviously not be limited to a special month. Sufficient for the day is its own trouble, and if people are not constantly reminded of the dangers, they will forget and focus on more relevant aspects of their daily jobs.
Awareness should be about solutions, not problems
Another critical aspect is that awareness alone never amounts to much. People (and organizations) should learn not just about potential troubles: they need to be given concrete solutions for those. For cybersecurity, this includes not only specific security tools but also giving actionable recommendations: how to improve your computer’s security, how to defend against account takeover, how to prepare for a phishing or ransomware attack and where to seek assistance after being hit… Ideally, cybersecurity hygiene has to become a routine part of your daily life like brushing your teeth or locking the front door.
One simple example: how many times have you heard about the dangers of using the same simple password between multiple online services? I’d argue that the public awareness of the issue is very high, and yet, the worldwide most popular password is still “123456”. How about suggesting using a free password manager instead, like LastPass or Dashlane? In enterprise environments, of course, one should look for solutions with centralized management and additional capabilities like Mateso Password Safe. Using such a tool completely changes your “password routine”, making re-using an old password more cumbersome that generating a fresh strong one each time.
Even better, of course, is activating multi-factor authentication whenever available. Alas, there is still no single convenient tool to support all online services, but a combination of a hardware security key like Yubikey and an authenticator mobile app like Authy will have almost all your bases covered. And by the way, forget about changing your passwords regularly and using security questions – these have long been proven useless and are no longer recommended by reputable organizations like NIST.
Awareness in times of Corona
The COVID-19 pandemic that forced so many people to work from home for months has also completely changed the scope of enterprise cybersecurity. For years, strict segregation of work and personal activities has been enforced by security and compliance policies, even for Bring Your Own Devices. Nowadays, when so many employees resort to using their home PCs for remote work, this approach no longer works.
Even worse: the same devices are often used by remotely schooled children, blending the line between home and work security even further and introducing new, unexpected challenges to corporate security departments. Will raising awareness among elementary school students help? Who is supposed to do this job: Teachers? Parents? Parents’ employers? Governments? Or maybe the companies that develop the software used for remote communications?
One thing is certain though: the situation is not going to sort itself out. I believe, some kind of government-backed incentive is necessary, not just for providing consistent guidance and governance across industries, but for supporting private initiatives and sanctioning negligence. Awareness campaigns like ECSM are a useful first step in that direction but other steps must follow soon.
In the meantime, the only sensible way to secure people working from home (including their families, because malware, like COVID, does not differentiate) is for organizations to expand the focus of their cybersecurity efforts beyond just BYOD. Cybersecurity Awareness Training should be an important and perhaps the first step in that direction. However, it has to focus on concrete, actionable, easily understandable guidance delivered in a way that actually makes people want to participate. A popular example of this approach is gamified phishing training. Not only people learn about the dangers of opening suspicious emails or clicking on unverified links, they are naturally incentivized to compete, learn more and apply their knowledge more often.
Expanding the scope of cybersecurity
However, organizations should not stop there. Securing their employees’ home devices should become a part of the corporate cybersecurity strategy. Of course, old-school tools like firewalls and VPNs are not suitable for such scenarios, but this is where security solutions delivered from the cloud come to the rescue. It is obvious that communications security (including not just email, but videoconferencing and online collaboration tools) should not differentiate between company-owned and personal devices. However, the same approach should apply to other fields as well, such as web security or endpoint detection and response. Even though such solutions are more “invasive” in terms of potential privacy issues, modern cloud-native products from companies like Akamai, Cisco or Zscaler offer a range of privacy-enhancing controls to overcome the compliance challenges.
Last but not least, government-issued guidance does not have to be your only source of expertise and best practices. Independent and strictly neutral research from industry analysts can be quite valuable as well, especially when it comes to selecting the most appropriate product for your specific risks and requirements. Check out KuppingerCole’s own research library and do not hesitate to reach out to us if you have questions.