Cybersecurity Awareness Month
October is Cybersecurity Awareness Month
The line between our online and offline lives is indistinguishable. In these tech-fueled times, our homes, societal wellbeing, economic prosperity, and nation's security are impacted by the internet.
The overarching theme for Cybersecurity Awareness Month 2021 is "Do your part. #becybersmart." The theme empowers individuals and organizations to own their own role in protecting their part of cyberspace. If everyone does their part - implementing stronger security practices, raising community awareness, educating vulnerable audiences, or training employees - our interconnected world will be safer and more resilient for everyone.
Week 2: Fight the Phish!
Why reporting has become so critical to organizations
Over the past 10 years, we've seen phishing top the charts as the primary threat to organizations when it comes to data breaches. With this increased visibility, not only are auditors and regulators asking organizations about their plan to defend against this threat, but so are boards of directors. Increasingly, organizations are adding phishing simulation training to their security awareness programs to prepare their employees to spot the phish. What we've also increasingly seen is organizations encouraging their employees to report that suspicious email. Not only has reporting become so critical for employees to report suspicious email internally, many customer-facing organizations provide instructions for their customers to also report a potential phishing email.
But why has reporting become so crucial to defending against threats? Threat actors are constantly tuning their tactics to bypass any security controls organizations implement to keep them from gaining a foothold into the organization's infrastructure. Cat and mouse. When security teams get insight into what tactics are being used based on indicators of compromise (IOC), they can minimize the timeline for a potential incident to occur. We often hear "it only takes one to click," but at the same time, it only takes one person to report that suspicious email to alert the security team something's brewing. We see evidence of the positive impacts of reporting when you read the annual M-Trends report on the median dwell time significant decrease over the past 10 years.
What can you do?
If your organization has a security awareness program, incorporate phishing simulation training to ensure your users can experience phishing in the exact place they'll see a real threat. If you've already taken the call to action to implement a program, ensure you've given users the tools to report, an easy button! It's also critical to use phishing templates to resemble the same types of threats that are landing in their inbox, making it past your secure email gateway (SEG). It's important to focus your program metrics on the number or percentage of users reporting the email. If your organization allows your consumers to create an account, ensure you provide them with instructions on how to report a suspicious email.
As we increase the use of our mobile devices more and more, it's not surprising that we've seen an increase in SMS phishing (smishing) attempts. A vast majority of these are an attempt to get you to log into their site to steal your credentials. When it comes to your personal credentials, threat actors target these to attempt to gain access to your banking, personal email, or social media accounts. Just as important to report phishing attempts, reporting a smishing attempt alerts the telecom providers so they can take actions against these threats. We need to make it really noisy for the providers so they take action against these threats.
How to report smishing
- Forward suspicious SMS messages to 7726
- When you receive a spam text message on your phone, forward that text to the short code 7726, which spells "spam"
- You'll then receive an automated message from your wireless carrier asking you then to enter the phone number from which the spam text was sent
Cybersecurity Awareness Month was launched by the National Cybersecurity Alliance and the U.S. Department of Homeland Security (DHS) in October 2004 as a broad effort to help all Americans stay safer and more secure online.
When Cybersecurity Awareness Month first began, the awareness efforts centered around advice like updating your antivirus software twice a year to mirror similar efforts around changing batteries in smoke alarms during daylight savings time.
Since the combined efforts of the National Cybersecurity Alliance and DHS have been taking place, the month has grown in reach and participation. Operated in many respects as a grassroots campaign, the month's effort has grown to include the participation of a multitude of industry participants that engage their customers employees, and the general public in awareness, as well as college campuses, nonprofits, and other groups.
Between 2009 and 2018, the month's theme was "our shared responsibility." The theme reflected the role that we all, from large enterprises to individual computer users, have in securing the digital assets in their control.
In 2009, DHS Secretary Janet Napolitano launched Cybersecurity Awareness Month at an event in Washington, D.C., becoming the highest ranking government official to participate in the month's activities. In subsequent years, leading administration officials from DHS, the White House, and other agencies have regularly participated in events across the U.S.
In 2010, the kickoff of Cybersecurity Awareness Month also included the launch of the "stop. think. connect." campaign. This year, Governor Kemp's proclamation for the month includes "stop. think. connect." as the state's cybersecurity education and awareness message.