First, the positive: 78 percent of people consider staying secure online a priority.
At the same time (and in the gray area), 57 percent of the population say they are worried about cyber crime.
Now the more challenging news with action items for the technology and cyber industries: 46 percent of end users feel frustrated with staying secure online, and 39 percent feel that information on how to stay secure online is confusing. Finally, 43 percent of respondents had never heard of multifactor authentication.
2023 CYBERSECURITY AWARENESS MONTH: KEEP MESSAGING SIMPLE AND POSITIVE
In response to this data and other industry trends, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (home to Staysafeonline.org) are trying to simplify messaging while keeping things positive regarding this year’s awareness month messaging.
The theme for October 2023 is “It's easy to stay safe online.”
You can watch a fascinating joint prep session here:
Cybersecurity Awareness Month 2023 will focus on four key behaviors all month long:
- Enabling multifactor authentication
- Using strong passwords and a password manager
- Updating software
- Recognizing and reporting phishing
The goals for this year are to make actionable steps positive, approachable, simple and back to basics.
EXAMPLES, PLEASE
Recently, I saw this headline: "Phishing scams targeting small business on social media including Meta are a ‘gold mine’ for criminals." Here is an excerpt:
“Take it from Pat Bennett, an entrepreneur who sold granola in the Cleveland area and got about half of her sales through Instagram. The business was already under pressure from the rising cost and availability of sweeteners and oats when her business Instagram page, Pat’s Granola, came under attack.
“The attack looked innocuous. Bennett received a message on Instagram from a small-business owner she knows personally. Using a link, her acquaintance asked Bennett to vote for her in a contest. It was a legitimate contest, and it wasn’t unusual for Bennett to communicate with people on Instagram Messenger. As it turned out, it was an attack that went to everyone in her contact’s address book. Bennett lost control of her Instagram and Facebook accounts and hasn’t regained access, despite using all the channels Meta recommends.
“With help, she was able to track the IP addresses to Europe, but that wasn’t enough to avoid a worst-case scenario. Bennett received a letter saying she could regain control of her accounts if she paid close to $10,000. She declined to pay the ransom and had to start all over again.”
One of the things I find most interesting about this story, is that it easily could have happened a decade ago (with the possible exception of the name "Meta").
Phishing challenges have been around for years, and here are just a few of the examples from this blog over the past decade:
2013: States' top cyber challenge remains spear phishing
2015: What to Do About Phishing?
2016: Beyond Spear Phishing: How to Address Whaling and More
2016: How to Respond to Social Engineering Incidents
2018: Phishing Scams Targeting Pastors: Who’s Next?
2020: How Is COVID-19 Creating Data Breaches?
To bring this back to 2023, earlier this month Government Technology ran this story: New Haven, Conn., Tightens Cyber Controls After $6M Loss
ONLINE SAFETY FOR KIDS TOO!
Here are seven tips to help your children stay safe online from Twinkl.com:
- "Apart from letting a parent or guardian know, never share your password with anyone. We recommend creating a strong and long password so no one can guess or hack into your accounts.
- "Never download a file or software online without permission from a parent or guardian. Many attachments, files and software products may seem fine but can actually contain harmful malware viruses that are bad for your device. If in doubt, check with an adult.
- "Use an anti-virus program and keep your devices secure from any potential threats.
- "Have a parental lock on your devices or any websites that are not suitable for kids.
- "Be wary of the people you talk to on social media. Not everyone is who they say they are on the Internet. For this same reason, never meet up with someone you have met on the Internet without a chaperone or your parent’s or guardian’s permission.
- "Don’t believe everything you read online is 100 percent factual. “Fake news” is common on the Internet, with many people, outlets or websites spreading false information. Double check with adults or other sources, such as in a library, about what you are wanting to research or learn more about."
OTHER HELPFUL RESOURCES FOR CYBERSECURITY AWARENESS MONTH 2023
Here are some other great resources to help your organization get the word out on staying safe online in 2023:
CISA Resources: https://www.cisa.gov/cybersecurity-awareness-month
Great TED Talk by Parham Eftekhari: https://www.ted.com/talks/parham_eftekhari_are_you_our_best_hope_for_cybersecurity
CYBSafe: Cybersecurity Awareness Month — Inspiration unlocked: 47 Cybersecurity Awareness Month ideas for 2023
FINAL THOUGHTS: BACK TO BASICS IS A GOOD IDEA
As someone who has held enterprise roles as a state government enterprise CISO, CTO and CSO, as well as agency CIO, I certainly agree that this simplicity messaging is on track. During the years I worked as the CISO and chief strategist for security awareness company Security Mentor, we heard similar feedback regarding the importance of simple messages that were brief, frequent and focused content delivered in a fun way that was engaging and relevant.
I also agree that there are practical steps that everyone can take to protect themselves online, and we need to get that word out. Most people want you to teach them things they don't already know to improve online security.
My only fear with this 2023 approach is that some cyber attacks are in fact hard to detect and stop. As it's put in the recently released National Cybersecurity Strategy, “Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity. A single person’s momentary lapse in judgment, use of an outdated password or errant click on a suspicious link should not have national security consequences. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.”
Nevertheless, as we think about what each front-line user needs to hear and do, I agree that we need to make online security easier to understand and clear on how to act.