It’s October, so that means it’s that time of year. No, not Halloween. It’s Cybersecurity Awareness Month which means reminders about how important it is to be aware of cybersecurity threats.
You’ve likely seen warning from HR about some of the most common cybersecurity issues you need to be aware of – things like phishing attacks and the importance of using a strong password or maybe even multi-factor authentication (MFA) if the organisation has it in place.
Providing people with useful advice on how to stay safe online – both at work and in every other aspect of everyday life – is a good thing. There’s always going to be a race between software companies and hackers when a new security flaw is discovered, to see whether the vendor can fix it before the hackers can exploit it. But giving people even basic advice about how to protect themselves from attack will go a long way towards stopping breaches.
And of course, cybersecurity awareness isn’t something which only needs to be pointed out for one month a year, especially months down the line. And the way some businesses choose to make people aware of cybersecurity by using fear isn’t helpful either.
The reality for many organisations is that their users are the first and often last line of defense against cyber attacks. But if they haven’t been properly informed about what constitutes being safe online that could leave everyone vulnerable.
It’s certainly the case that if someone clicks through a convincing phishing link which claims they need to enter their password to view content, or if someone downloads what they believe is a legitimate attachment, but it contains a trojan malware backdoor, they could cause big problems for their organisation.
Scams can be hard to spot, including ‘urgent’ requests from the boss which are actually business email compromise (BEC) attacks used to steal money, or false alerts that someone has hacked your account and you should follow a link to restore it – a link which will actually steal your password. Crooks are even using lures based around the cost-of-living crisis to dupe people into falling victim to attacks.
Also: Want to boost your cybersecurity? Here are 10 steps to improve your defences now
For many professionals, opening email attachments and clicking links, even from unfamiliar senders, are part-and-parcel of their work. And there’s so many of them that something is bound to slip through eventually.
Cybersecurity month is a good start, for sure, but both cybersecurity teams and management need to make sure that the useful advice and support is available all year round. And the focus on cybersecurity should reach, or even start with boardroom.
Also: Your biggest cyber-crime threat has almost nothing to do with technology
And it’s also worth remembering that creating distrust with misleading phishing tests or blaming victims for falling for tests doesn’t help anyone.
In a recent interview with ZDNET, Google’s Red Team lead said that victim blaming isn’t a thing when they’re testing security. For them, when conducting offensive security tests like malicious hackers would, it isn’t about who clicks the link, it’s about finding out what works and how to prevent attackers from taking advantage of those same exploits.
There’s a lesson to be learned there on how to really do cybersecurity awareness – it’s about ensuring that your employees are aware of the threats that are out there and that they’re being protected from them.
But it needs to be done with empathy – pointing the finger of blame helps nobody. If somebody thinks they’ve clicked a real phishing link but doesn’t mention it because they’re worried about the consequences for their job that could mean big problems for any organisation.
Scaring people into being aware about cybersecurity issues for one month a year isn’t going to work – but providing guidance and advice all year round will improve cybersecurity for everyone.
ZDNET’S MONDAY OPENER
ZDNet’s Monday Opener is our opening take on the week in tech, written by members of our editorial team.