To help build enthusiasm for Cybersecurity Awareness Month in October, the National Cybersecurity Alliance (NCA) brought together a powerhouse of panelists on September 27 to talk about the changing landscape in cybersecurity over the past 3-5 years and how private citizens and public and private enterprises can use the month to better prepare themselves to combat threat actors looking to exploit them.
The NCA has partnered with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to help promote the month, which this year has the theme of "See Yourself in Cyber." Cybersecurity Awareness Month was first declared by President George W. Bush and Congress in 2004 to help individuals protect themselves online as threats to technology and data privacy became more commonplace.
This year's theme exemplifies that cybersecurity can be, and is, a complex subject, but it really comes down to people. People need resources, training, and education so the decisions they make at home, school, or work keep them and the public and private organizations protected.
For Amazon, cybersecurity is a top priority, said Jenny Brinkley, Director, Amazon Security, who was one of the webinar panelists.
"Security starts really at the beginning," Brinkley said. "Whether it's service teams building out products or frontline service team members dealing with missing packages or delivery updates, it's a balancing act so security is not a friction to innovation."
Brinkley was joined on the panel by Kate Charlet, Director for Data Governance, Google; Darren Shou, CTO, NortonLifeLock; Josh Jaffe, VP, Cyber Security, Dell Technologies; and Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4. The session was moderated by Lisa Plaggemier, Executive Director at the National Cybersecurity Alliance.
The group all agreed that it's about building a culture of resiliency so that people know how to prevent and respond to cyberattacks—at work and at home. Creating awareness is not about making people afraid; it's about empowering people to take action, providing them with the right controls, good hygiene, and the needed tools.
With the world's events the past couple of years, Shou said that 65% of consumers have spent more time online. They are working from home, managing through the pandemic and looking for vaccination info. "Criminals leverage all of it, exposing people to scams," he said.
For Charlet, the 2009 Operation Aurora cyberattack on Google was a watershed moment for the company. "These moments highlight the new actions that need to be taken," she said, including updating legacy software, for instance.
A lot of changes were made after Operation Aurora, and Charlet said Google will have an exciting announcement next month to coordinate with Cybersecurity Awareness Month.
The panelist also agreed that increased cybersecurity awareness and action at home leads to better security awareness at work—and vice versa. Education is key, and that means not making examples of folks that are breached (and who may be embarrassed to admit it), but using those as opportunities to educate and help others.
"It starts with building products that are secure by default; they need to be built-in and not just bolted on," Google's Charlet said. "It's about prioritizing secure software-building practices. Every day cybersecurity should be as easy to grasp and implement as physical security is. You don't share your PIN number with a stranger or leave your car unlocked."
Another theme touched on in the webinar was to make awareness education easy, like you're talking to a teenager:
- "I like to think about how I explain this to my own family," Shou said. I'd tell my daughter that it is like locks and deadbolts; that is, let's make sure we do the basics to lock down things. And then also that if you want your journal secret, be careful about where you keep it and travel with it—that is, to be thinking about it carefully. In other words, I think we need to relate to each person and role so that we meet them where they are."
- "I feel we all know and can quickly recognize a life jacket, or a road flare, but when it comes to basic security tools, they all come in different flavors and types, and this can be daunting to a layman who is trying to dip into these waters." (comment from webinar attendee)
- "Totally agree, and it can be overwhelming on how to build the right training and the right resources at the right time," Brinkley said. "I think it's also about how we are developing our intuition here, too. For example, how do we discern when an email may be phishing; how do you know what to do and what not to do?"
CISA and NCA are focusing on four key areas this October:
- Enabling multi-factor authentication (MFA)
- Using strong passwords and a password manager
- Updating software
- Recognizing and reporting phishing
For more on Cybersecurity Awareness Month, visit these resources: