Does Cybersecurity Awareness Month actually improve security?

Does Cybersecurity Awareness Month actually improve security?

October is Cybersecurity Awareness Month, formerly known as National Cybersecurity Awareness Month. The idea is to raise awareness about cybersecurity, and provide resources for people to feel safer and more secure online.

The month is a collaboration between the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA) and it focusses on four themes, in turn: “Be Cyber Smart”, “Phight the Phish”, “Explore. Experience. Share”, and “Cybersecurity First”. Some of these are perhaps a little interchangeable or vague, but it’s certainly a dedicated effort. The questions is, is anybody listening?

Cybersecurity Awareness Month is a fixture of the calendar now, as are Data Privacy Day, World Password Day, and a host of other well-intentioned privacy and security themed events. There are so many of them now, and they come around so often, that some of the Malwarebytes Labs team were feeling a little jaded about this month’s event.

So, in the spirit of the event’s first theme, “Be Cyber Smart”, we asked two of our Malwarebytes Labs blog team, Chris and Jovi, whether the smart thing to do was forgot about it altogether.

The pros and cons of awareness campaigns

Jovi: I don’t see that anyone can have a problem with events such as this. It’s good to have regular reminders about our responsibility to keep ourselves and our families safe. It’s also a good opportunity to learn something new about security and privacy.

Chris: I mean, are they really learning something new? From experience, the content in these events doesn’t tend to differ much from year to year. A lot of it is the same basic information you see on mainstream news reports, or blogs. I’ve been involved with events like this since 2005, and one time at a panel with reps from the FTC and the NYAG…

(several minutes of completely unrelated factoids from the dawn of time follow)

Jovi: …I’m surprised that didn’t end with you tying an onion to your belt.

Chris, oblivious to onions: If it was worthwhile, you’d think there’d be some tangible, visible improvement in security by this point. Or at least a bunch of people saying “Wow, that ‘event-name-goes-here’ really helped me with this one problem I had. Hooray for ‘event-name-goes-here’.

Jovi: True, but then again, not everyone sees every relevant news report or even reads blogs. Some people get a lot of their security information from sources like Twitter, direct from infosec pros. Who then end up directing them to events like this anyway. There’s always a churn of new people who haven’t seen any of this before, so I don’t think it’s a problem to repeat some of the basics every year. Not everything has to be groundbreaking. If it’s easy to understand and helpful, that’s okay too.

Chris: Possible, but I also think many people have burnout from this kind of thing. How many times can you hear a major event, backed by Homeland Security, say “watch out for suspicious links” before you start to demand something a bit more involved? Admittedly, we don’t know what specifically is going to be covered during the month itself yet. It might be a mix of basic information and more complicated processes, which would be great! Another major event saying “don’t run unknown files”, though? Do we really need that? Or is there still a place for it?

Jovi: I once again direct you to “a churn of new people who haven’t seen any of this before”.

Chris: Ouch.

Jovi: You may be right about the fatigue aspect, though. I imagine it’s likely very difficult for anyone to really care that much about a month-long event. If you’re directly involved in some way, then fine. If you’re one of the many random people it’s aimed at? I think it’s probable they simply won’t care very much by week 3.

Chris: It may also be exacerbated if the thing they really want to do or look at happens during the final week. Will they even remember to go back by the tail-end of October to check it out?

Jovi: This is where the web resources for the event will be crucial, alongside lots of activity on social media. Handy little reminders to go back and check it out will work wonders.

Chris: Might work wonders.

Jovi: Ouch.

Chris: One novel thing I’ll definitely highlight is that they’re doing a whole bit about careers in tech. This is good. Not every event does this. There’s a lot of resources available and the opportunity for security companies, researchers, and anyone else to give tips on how to break into the industry. This will be particularly helpful for students about to graduate, and people thinking about a change in career.

Jovi: I’m mostly interested in the phishing week. You can’t go wrong with phish advice, especially when so many people are still working from home and potentially isolated from their security teams.

Chris: Is that any better than any other event doing a phish week though?

Jovi: It certainly doesn’t hurt to have them. I reckon big organisations and governments saying “we’re interested in this and you should be too” ultimately helps more than it hurts. We’d definitely feel their absence.

Chris: I’ll give you that. I’m not 100% convinced these events are making as much impact as some may think. This is what, the 18th one of these now? I’d be interested to know what the organisers think about how successful they are, what difference they’ve made. Even so, you’re likely right that we’re better served by having them than not at all.

Jovi: Amazing—did we finally agree?

Chris: Yes, please inform the DHS I’ve given permission for the event to go ahead.

Jovi: I’m sure they’ll be relieved.

Chris: This somehow feels like sarcasm.

Jovi: Definitely not.

Winding down

Whether you think events like this are a big boon to security discourse or too much like repeating ourselves for diminishing returns, they’re here to stay. We can all play a part in ensuring these annual reminders stay relevant. Whether you’re flying solo at home, an organisation, a security vendor, an SME, or a collection of interested students? Get involved!

Let the organisers know what you’d most like to see—if not at this event, then perhaps the next one. If these awareness campaigns exist in a vacuum, they’ll assume they’re getting everything right. Let’s help them along to fix the bits we’re not sure about and make it work for everyone.