October is CyberSecurity Awareness Month. Many CISOs might argue that every month should be so designated, given the importance of cybersecurity. But in any case the campaign serves as a good reminder that organizations need to enhance employees’ awareness of the multitude of threats and vulnerabilities that can lead to damaging attacks. This is true not only for large, global enterprises, but for small and mid-sized businesses (SMBs) as well.
Observed every October, Cybersecurity Awareness Month was created as a collaborative effort between government and the private sector to ensure that all Americans have the resources they need to stay safer and more secure online. Making people aware of the risks they might face is a key part of the efforts.
Since its inception in 2004 under leadership from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) and the National Cyber Security Alliance (NCSA), the effort has steadily grown in scope, reaching an audience that includes SMBs and even consumers nationwide.
The theme for this year’s awareness month is “Do Your Part. #BeCyberSmart,” encouraging individuals and organizations to own their role in protecting their part of cyberspace, stressing personal accountability and the importance of taking proactive steps to enhance cybersecurity.
“If everyone does their part—implementing stronger security practices, raising community awareness, educating vulnerable audiences, or training employees—our interconnected world will be safer and more resilient for everyone,” the government organizations noted.
For the 2021 iteration of CyberSecurity Awareness Month, CISA and NCSA are focusing on a particular area each week in their promotions and outreach: Be Cyber Smart; Phight the Phish; Explore. Experience. Share; and Cybersecurity First.
Making cyber awareness a priority
While this cyber awareness initiative is largely driven by the government, private industry including SMBs should not be passive bystanders. There are steps smaller companies can take to bolster their own cybersecurity programs and therefore contribute to the overall improvements in protecting data everywhere.
One of the most important steps is to make cybersecurity a priority from the highest levels of the organization and create a culture of cyber awareness. That means everyone from the CEO/owner on down must take personal responsibility for protecting systems and data.
As NCSA noted, “every individual should own their role in protecting their information and securing their systems and devices. There are many steps individuals can take to enhance their cybersecurity without requiring a significant investment or the help of an information security professional.”
This is especially important with so many employees still working from home or other remote sites, and using their own devices to connect to their organizations’ networks.
If a company has a board of directors, that group should play a key role in emphasizing the importance of cybersecurity. A significant data breach could impact the financial viability of a small business. If board members don’t realize this and take steps to help promote data protection, then maybe the company needs to appoint a new board.
It can’t be emphasized enough. A big part of developing a good cybersecurity culture is training or retraining all employees so that they can recognize the signs of an attack before it’s too late. Yes, this is an added expense for companies and a hassle for some workers. But failure to train employees well could result in a ransomware attack that ends up costing much more in terms of lost business, downtime, damaged brand reputation, regulatory fines, legal fees, etc.
People should be trained on how to create strong passwords, use multi-factor authentication, recognize and avoid social engineering, share data only in secure ways, keep their systems up to date with patching, back up data, practice the safe use of mobile devices, and other areas.
One area where training can be especially valuable is in preventing phishing attacks. As the federal government has noted, phishing attacks and scams have thrived since the pandemic began in 2020, and today account for a large majority of reported security incidents.
Employees need to be taught how to evaluate emails, text messages, and chat boxes that come from an unknown or unexpected source, and to avoid clicking on any suspicious links or opening attachments. They also should be instructed to report suspicious emails to the IT or security department.
As part of the phishing awareness and training program, periodically testing user's ability to identify and avoid interaction with illegitimate emails will demonstrate that they retained the material from the cyber awareness training program.
Zero trust architecture
SMBs should also consider adopting a zero trust architecture regarding security. With zero trust, all systems, devices, and users are not to be trusted by default, even if they’re connected to the company’s network and have been verified. It differs from the traditional approach to security, in which devices within the network perimeter are trusted. But this method is no longer as effective given today’s highly distributed IT environments.
Deploying a zero trust architecture strategy means checking the identity and integrity of all devices, and providing access to applications and IT services based on confidence in the identity and integrity, as well as user authentication.
The Executive Order on Improving the Nation’s Cybersecurity, announced by the White House in May 2021, called on federal government agencies to advance toward a zero trust architecture as part of cybersecurity modernization efforts.
Implementing a strong cybersecurity awareness program can seem overwhelming to small and mid-sized companies. But there are plenty of resources available to help, including many managed security services providers and consultancies, as well as resources related to CyberSecurity Awareness Month. The effort will be well worth it, considering how much is at stake.
Learn more ways that SMBs can prevent and mitigate cyber threats.
APT hackers for hire whitepaper
Ransomware mitigation use case demo
Threat landscape report